Vicious

**Name of the Vulnerable Software and Affected Versions** Group-Office version 3.5.9 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `category id` parameter in a "category" action, specifically targeting the modules/notes/json.php module. **Recommendations** For version 3.5.9, consider restricting access to the vulnerable module until a patch is available. Avoid using the `category id` parameter in the affected API endpoint until the issue is resolved.