CVE-2025-48369 is a persistent Cross-Site Scripting (XSS) vulnerability identified in the Group-Office enterprise customer relationship management (CRM) and groupware software developed by Intermesh. The vulnerability affects versions prior to 6.8.119 and 25.0.20. It arises from improper neutralization of input during web page generation, specifically in the tasks comment functionality. Attackers can exploit this flaw by uploading a file with a crafted filename containing malicious JavaScript payloads. When an administrator or user views the task containing this file, the malicious script executes within their browser context. This occurs because the application fails to sanitize image filenames before rendering them in comments, allowing the injection of executable code. The consequence is that attackers can steal sensitive information such as session tokens, cookies, or other data accessible in the victim’s browser context, potentially leading to account compromise or further attacks within the application. The vulnerability requires no authentication but does require user interaction (viewing the task comment). The CVSS 4.0 score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed. No known exploits are reported in the wild yet. The issue is fixed in versions 6.8.119 and 25.0.20 of Group-Office.

For European organizations using Group-Office, this vulnerability poses a significant risk to confidentiality and integrity of sensitive business data managed within the CRM and groupware environment. Successful exploitation could lead to session hijacking, unauthorized access to internal communications, and potential lateral movement within the organization’s network. Since Group-Office is often used for managing customer relationships and internal collaboration, exposure of sensitive client data or internal project details could result in reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. The persistent nature of the XSS means the malicious payload remains active until the affected task comment is removed or the software is updated, increasing the window of opportunity for attackers. Given that the vulnerability requires user interaction, phishing or social engineering techniques could be used to lure administrators or privileged users into viewing malicious tasks, amplifying the risk. The medium severity rating suggests moderate impact but should not be underestimated in environments with high-value data or strict compliance requirements.

1. Immediate upgrade to Group-Office versions 6.8.119 or 25.0.20 where the vulnerability is patched. 2. Implement strict input validation and output encoding on all user-supplied data, especially filenames and comments, to prevent injection of executable scripts. 3. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4. Educate administrators and users about the risks of opening task comments from untrusted sources and encourage verification of file uploads. 5. Monitor logs for unusual file upload activity or task comment modifications that could indicate exploitation attempts. 6. If patching is delayed, consider temporarily disabling the file upload feature in task comments or restricting it to trusted users only. 7. Conduct regular security assessments and penetration tests focusing on web application input handling to detect similar vulnerabilities early.