CVE-2026-30238 is a reflected cross-site scripting (XSS) vulnerability identified in Intermesh's GroupOffice, an enterprise customer relationship management (CRM) and groupware platform. The vulnerability affects versions prior to 6.8.155, 25.0.88, and 26.0.10. The root cause lies in the handling of the 'f' parameter within the external/index flow, which is a Base64-encoded JSON string. This parameter is decoded and then directly injected into an inline JavaScript block without adequate escaping or sanitization. Consequently, an attacker can craft a malicious payload that closes the existing script context and injects arbitrary JavaScript code, such as </script><script>...</script>, leading to arbitrary script execution in the victim's browser. This reflected XSS does not require any authentication or privileges and can be triggered via a specially crafted URL, but it requires user interaction (clicking the malicious link). The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or manipulation of the web application's client-side logic. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited confidentiality and integrity impact. No known exploits have been reported in the wild as of the publication date. The vendor has addressed the issue in the specified patched versions by implementing proper input neutralization and escaping mechanisms. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

This vulnerability can have significant impacts on organizations using affected versions of GroupOffice. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information such as authentication tokens or personal data, and unauthorized actions performed on behalf of the user. This can undermine user trust and lead to data breaches or further compromise of internal systems if attackers leverage the access gained. Since GroupOffice is used for CRM and groupware functions, sensitive business communications and customer data could be exposed or manipulated. The reflected nature of the XSS means attacks typically require social engineering to lure users into clicking malicious links, but the lack of authentication requirement broadens the attacker’s reach. Although the CVSS score is medium, the impact on confidentiality and integrity can be substantial in environments where GroupOffice is critical to business operations. Additionally, exploitation could facilitate phishing campaigns or malware distribution within organizations. The absence of known exploits in the wild suggests limited immediate risk, but the vulnerability should be treated seriously given the potential consequences.

Organizations should immediately upgrade GroupOffice to versions 6.8.155, 25.0.88, or 26.0.10 or later, where the vulnerability is patched. Beyond patching, implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Employ web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting the 'f' parameter or similar vectors. Conduct regular security assessments and penetration testing focused on input validation and output encoding practices. Educate users about the risks of clicking unsolicited links, especially those that appear to come from internal or trusted sources. Review and harden all input handling routines in custom integrations or plugins that interact with GroupOffice to ensure consistent escaping and sanitization. Monitor logs for suspicious URL patterns or repeated access attempts to the vulnerable endpoint. Finally, consider implementing multi-factor authentication (MFA) to reduce the impact of session hijacking if an XSS attack is successful.