CVE-2026-30237 is a reflected cross-site scripting (XSS) vulnerability identified in the GroupOffice enterprise CRM and groupware tool, specifically in the installer endpoint install/license.php. The vulnerability exists because the 'license' POST parameter is embedded directly inside a <textarea> element without proper input sanitization or escaping. This allows an attacker to inject a payload that breaks out of the textarea context by injecting a closing </textarea> tag followed by malicious JavaScript code. When a victim interacts with a crafted link or submits a malicious form, the injected script executes in the victim's browser under the context of the GroupOffice domain. This can lead to session hijacking, cookie theft, or other script-based attacks. The flaw affects versions prior to 6.8.155, 25.0.88, and 26.0.10, with patches released in these versions to properly escape input and prevent script injection. The vulnerability requires user interaction (e.g., clicking a malicious link or submitting a crafted form) but does not require authentication, increasing its attack surface. Despite the potential for exploitation, the CVSS 4.0 base score is low (2.1) due to limited impact on confidentiality, integrity, and availability, and the absence of known active exploits. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of the GroupOffice web application. This can lead to session hijacking, theft of sensitive cookies or tokens, and potentially unauthorized actions performed on behalf of the user. However, since the vulnerability is reflected XSS and requires user interaction, the attack vector is limited to social engineering or phishing scenarios. The low CVSS score reflects the limited scope and impact. Organizations using vulnerable versions of GroupOffice risk exposure to targeted attacks that could compromise user sessions or lead to information disclosure. While the vulnerability does not directly affect system availability or integrity of backend data, successful exploitation could facilitate further attacks or unauthorized access. The lack of known exploits in the wild reduces immediate risk but does not eliminate the need for remediation. Enterprises relying on GroupOffice for CRM and groupware functions should consider the potential reputational and operational risks if attackers leverage this vulnerability.

To mitigate this vulnerability, organizations should immediately upgrade GroupOffice installations to versions 6.8.155, 25.0.88, or 26.0.10 or later, where the issue is patched. If upgrading is not immediately feasible, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'license' POST parameter, especially those attempting to inject closing textarea tags or script elements. Additionally, review and harden input validation and output encoding practices in custom or integrated components interacting with GroupOffice. Educate users about phishing and social engineering risks to reduce the likelihood of successful reflected XSS exploitation. Regularly monitor logs for unusual requests to the install/license.php endpoint. Employ Content Security Policy (CSP) headers to restrict script execution sources, which can mitigate the impact of XSS attacks. Finally, conduct periodic security assessments and penetration tests to verify the effectiveness of these controls.