CVE-2026-30237 is a reflected cross-site scripting (XSS) vulnerability identified in the GroupOffice enterprise CRM and groupware tool developed by Intermesh. The vulnerability exists in the installer endpoint install/license.php, where the POST parameter 'license' is embedded directly into a <textarea> element without proper input sanitization or escaping. This improper neutralization of input (CWE-79) allows an attacker to inject arbitrary JavaScript code by injecting a payload that breaks out of the textarea context using a sequence like '</textarea><script>...</script>'. When a victim user interacts with the vulnerable installer page and submits crafted input, the malicious script executes in their browser context, potentially leading to session hijacking, defacement, or other client-side attacks. The flaw affects versions prior to 6.8.155, 25.0.88, and 26.0.10, with patches released in these versions to properly escape user input. The vulnerability is classified as low severity with a CVSS v4.0 score of 2.1, reflecting limited impact and requiring user interaction. No authentication is needed to exploit this vulnerability, but the attacker must trick a user into submitting the malicious payload. No known active exploitation has been reported. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in installer or setup interfaces that may be exposed during deployment.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript in the context of a user's browser when interacting with the vulnerable GroupOffice installer page. This can lead to session hijacking, theft of sensitive information accessible via the browser, or manipulation of the user interface. However, since the vulnerability is reflected and requires user interaction, the attack surface is limited to users who access the installer page and submit crafted input. The vulnerability does not allow direct compromise of the server or backend systems, nor does it affect data confidentiality or integrity on the server side. Organizations running vulnerable versions of GroupOffice may face risks of targeted phishing or social engineering attacks leveraging this XSS flaw, particularly during installation or upgrade phases. The low CVSS score and absence of known exploits suggest a limited immediate threat, but the vulnerability could be leveraged in combination with other attack vectors to escalate impact. Enterprises relying on GroupOffice for CRM and groupware functions should consider the risk of client-side compromise and potential reputational damage if exploited.

The most effective mitigation is to upgrade GroupOffice installations to versions 6.8.155, 25.0.88, or 26.0.10 or later, where the vulnerability has been patched. Until upgrades can be applied, organizations should restrict access to the installer endpoint (install/license.php) to trusted administrators only, ideally limiting it via network segmentation or firewall rules. Web application firewalls (WAFs) can be configured to detect and block suspicious input patterns attempting to break out of textarea elements or inject script tags. Administrators should educate users and installers to avoid submitting untrusted input during installation. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Regular security audits and code reviews should be conducted to ensure proper input validation and output encoding practices are followed throughout the application. Monitoring logs for unusual requests to the installer endpoint can help detect attempted exploitation attempts.