CVE-2026-30238 is a reflected cross-site scripting (XSS) vulnerability identified in the Intermesh GroupOffice enterprise CRM and groupware platform. The vulnerability affects versions prior to 6.8.155, 25.0.88, and 26.0.10. The root cause lies in the handling of the 'f' parameter within the external/index flow, which accepts Base64-encoded JSON data. This data is decoded and directly injected into an inline JavaScript block without adequate sanitization or escaping. Consequently, an attacker can craft a malicious payload that breaks out of the intended script context using sequences like </script><script> and inject arbitrary JavaScript code. When a victim accesses a specially crafted URL containing this payload, the malicious script executes in their browser under the context of the GroupOffice domain. This can lead to theft of session cookies, unauthorized actions on behalf of the user, or redirection to malicious sites. The vulnerability does not require authentication and can be exploited remotely, but it does require user interaction (clicking a malicious link). The CVSS v4.0 base score is 5.1, indicating medium severity, reflecting the ease of exploitation combined with limited impact on system integrity or availability. No public exploits or active exploitation campaigns have been reported to date. The issue has been addressed by the vendor in versions 6.8.155, 25.0.88, and 26.0.10 by implementing proper input validation and escaping to neutralize the injected script content.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions within GroupOffice deployments. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed with the victim's privileges. This can compromise user accounts and expose sensitive corporate data managed within GroupOffice. While the vulnerability does not directly affect system availability or server integrity, the indirect consequences such as data leakage or unauthorized access can be significant for organizations relying on GroupOffice for CRM and groupware functions. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where phishing or social engineering is feasible. Organizations with internet-facing GroupOffice instances are at higher risk, particularly if users have elevated privileges. The absence of known exploits reduces immediate threat but does not preclude future attacks once exploit code becomes available.

Organizations should immediately upgrade GroupOffice to versions 6.8.155, 25.0.88, or 26.0.10 or later, where the vulnerability has been patched. Until upgrades can be applied, administrators should consider implementing web application firewall (WAF) rules to detect and block suspicious requests containing Base64-encoded payloads in the 'f' parameter or attempts to inject script tags. User education to recognize and avoid clicking suspicious links can reduce the risk of exploitation. Additionally, enforcing Content Security Policy (CSP) headers that restrict inline script execution and limit sources of executable scripts can mitigate the impact of XSS attacks. Regularly auditing and monitoring web server logs for anomalous requests targeting the vulnerable parameter can help identify attempted exploitation. Finally, ensure that session management employs secure flags (HttpOnly, Secure) to reduce the impact of stolen cookies.