PT-2026-22390 · Unknown · Group-Office
Numberoreo1
·
Publicado
2026-02-27
·
Atualizado
2026-02-28
·
CVE-2026-27947
CVSS v4.0
9.4
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
Group-Office versions prior to 26.0.9
Group-Office versions prior to 25.0.87
Group-Office versions prior to 6.8.154
Description
Group-Office is a customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 contain a flaw that allows for authenticated Remote Code Execution through the processing of TNEF attachments. The issue arises because the software extracts files from
winmail.dat which are controlled by an attacker. The zip command is then invoked with a shell wildcard (*), allowing attackers to manipulate filenames to execute arbitrary commands.Recommendations
Update Group-Office to version 26.0.9.
Update Group-Office to version 25.0.87.
Update Group-Office to version 6.8.154.
Exploit
Correção
Unrestricted File Upload
Argument Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Group-Office