CVE-2025-48366 is a stored and blind Cross-Site Scripting (XSS) vulnerability affecting the Group-Office application developed by Intermesh, which is an enterprise customer relationship management (CRM) and groupware tool. The vulnerability exists in versions prior to 6.8.119 and 25.0.20. Specifically, the flaw is located in the Phone Number field of the user profile. An attacker can inject persistent malicious JavaScript payloads into this field. When another user views the Address Book, the injected script executes in their browser context without requiring any user interaction. This allows the attacker to perform unauthorized actions such as forced redirects to malicious sites, unauthorized fetch requests that could exfiltrate data or perform actions on behalf of the victim, and other arbitrary JavaScript execution. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting) and CWE-87. The CVSS 4.0 base score is 6.9 (medium severity), reflecting a network attack vector with low attack complexity, no privileges or user interaction required, but with high scope and impact on confidentiality, integrity, and availability. The vulnerability has not been observed exploited in the wild yet. The issue is fixed in versions 6.8.119 and 25.0.20 of Group-Office. This vulnerability is significant because it allows attackers to compromise user sessions, steal sensitive information, or manipulate application behavior within enterprise environments using Group-Office, potentially leading to broader network compromise or data breaches.

For European organizations using Group-Office, this vulnerability presents a notable risk to confidentiality and integrity of internal communications and data. Since Group-Office is used for CRM and groupware functions, exploitation could lead to unauthorized access to sensitive customer data, internal contacts, and scheduling information. The stored XSS can be used to hijack user sessions, perform actions on behalf of users, or spread malware within the organization’s network. This could disrupt business operations, damage customer trust, and lead to regulatory non-compliance, especially under GDPR, which mandates protection of personal data. The lack of required user interaction and privileges makes the vulnerability easier to exploit remotely, increasing the risk of widespread impact in organizations with multiple users accessing the Address Book. Additionally, the high scope means that the vulnerability can affect multiple users once exploited. European organizations with extensive use of Group-Office for collaboration and customer management are particularly at risk of data leakage, unauthorized data manipulation, and potential lateral movement by attackers.

Organizations should immediately upgrade Group-Office to versions 6.8.119 or 25.0.20 or later to apply the official patch that addresses this XSS vulnerability. Until patching is possible, administrators should implement strict input validation and sanitization on the Phone Number field to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing Group-Office. Additionally, enable HTTP-only and secure flags on session cookies to reduce the risk of session hijacking. Conduct regular security audits and penetration testing focused on web application inputs and stored data fields. Educate users about the risks of unexpected redirects or unusual behavior when using the Address Book. Network segmentation and monitoring for unusual outbound requests from user browsers can help detect exploitation attempts. Finally, maintain up-to-date backups and incident response plans to quickly recover from any compromise.