CVE-2025-48992 is a stored and blind Cross-Site Scripting (XSS) vulnerability affecting Intermesh's Group-Office, an enterprise customer relationship management (CRM) and groupware tool. The vulnerability exists in versions prior to 6.8.123 and 25.0.27. Specifically, the flaw is located in the Name Field of the user profile, where input is improperly neutralized during web page generation (CWE-79). An attacker with authenticated access and the ability to modify their user profile name can inject malicious JavaScript payloads. When another user adds the malicious user to their Synchronization > Address books, the injected script executes in the victim's browser context. This execution occurs without requiring user interaction, making it a blind XSS scenario. The vulnerability has a CVSS 4.0 base score of 5.2, indicating a medium severity level. The attack vector is network-based with low attack complexity and no user interaction required; however, it requires the attacker to have high privileges (authenticated user) to exploit. The vulnerability impacts confidentiality, integrity, and availability by potentially allowing session hijacking, unauthorized actions, or data exfiltration through script execution in the victim's browser. The issue has been patched in versions 6.8.123 and 25.0.27 of Group-Office. No known exploits are currently reported in the wild. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-87 (Improper Neutralization of Special Elements used in a Command).

For European organizations using Group-Office, this vulnerability poses a moderate risk. Since Group-Office is used for CRM and groupware functions, exploitation could lead to unauthorized access to sensitive customer data, internal communications, and scheduling information. The stored XSS could facilitate session hijacking, privilege escalation, or lateral movement within the organization’s network. Given that the attack requires an authenticated user to inject the payload, insider threats or compromised accounts are the primary risk vectors. The blind nature of the XSS means victims may be unaware of the attack, increasing the potential for stealthy data exfiltration or persistent compromise. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if customer or personal data is exposed. Additionally, the disruption of groupware functions could impact business continuity. The medium CVSS score reflects a balanced risk, but the potential for exploitation in environments with weak access controls or insufficient patch management elevates the threat level.

Upgrade Group-Office installations to versions 6.8.123 or 25.0.27 or later to apply the official patch addressing this vulnerability. Implement strict input validation and output encoding on all user-supplied data fields, especially those rendered in web pages, to prevent injection of executable scripts. Enforce the principle of least privilege by restricting user permissions to only those necessary, minimizing the risk of malicious users injecting payloads. Monitor and audit user profile changes, particularly modifications to the Name Field, to detect suspicious or anomalous inputs that may indicate exploitation attempts. Configure Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources of executable scripts in the browser context. Educate users about the risks of adding unknown or untrusted users to synchronization address books and encourage verification of user identities. Deploy web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Group-Office endpoints. Regularly review and update authentication mechanisms to prevent account compromise, as exploitation requires authenticated access. Conduct periodic security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively.