{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48993", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-29T16:34:07.174Z", "datePublished": "2025-06-17T00:43:35.194Z", "dateUpdated": "2025-06-17T13:45:06.357Z"}, "containers": {"cna": {"title": "Group-Office vulnerable to reflected XSS via Look and Feel Formatting input", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv"}, {"name": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd"}, {"name": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.123", "status": "affected"}, {"version": "< 25.0.27", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-17T00:43:35.194Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27."}], "source": {"advisory": "GHSA-xv2x-v374-92gv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-17T13:41:16.140341Z", "id": "CVE-2025-48993", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T13:45:06.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48993", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-17T13:41:16.140341Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T13:45:00.706Z"}}], "cna": {"title": "Group-Office vulnerable to reflected XSS via Look and Feel Formatting input", "source": {"advisory": "GHSA-xv2x-v374-92gv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": "< 6.8.123"}, {"status": "affected", "version": "< 25.0.27"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd", "name": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11", "name": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-17T00:43:35.194Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48993", "state": "PUBLISHED", "dateUpdated": "2025-06-17T13:45:06.357Z", "dateReserved": "2025-05-29T16:34:07.174Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-17T00:43:35.194Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27."}, {"lang": "es", "value": "Group-Office es una herramienta de gesti\u00f3n de relaciones con clientes empresariales y software colaborativo. En versiones anteriores a la 6.8.123 y la 25.0.27, se pod\u00eda ejecutar una carga maliciosa de JavaScript a trav\u00e9s de los campos de formato de apariencia. Cualquier usuario puede actualizar sus campos de entrada de formato de apariencia, pero la aplicaci\u00f3n web no depura la informaci\u00f3n. Esto podr\u00eda provocar un ataque de cross-site scripting (XSS) reflejado. Este problema se ha corregido en las versiones 6.8.123 y la 25.0.27."}], "id": "CVE-2025-48993", "lastModified": "2025-06-17T20:50:23.507", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-17T01:15:22.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/commit/1e2a2450f204174f87a93217838d74718996dcdd"}, {"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/commit/a9031884f6a6fbd0f08a8b7790514b5bc0937c11"}, {"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-xv2x-v374-92gv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}