PT-2026-6303 · Unknown · Group-Office
Siefr3Dus
·
Publicado
2026-02-04
·
Atualizado
2026-02-04
·
CVE-2026-25511
CVSS v4.0
8.2
Alta
| Vetor | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Group-Office versions prior to 6.8.150
Group-Office versions prior to 25.0.82
Group-Office versions prior to 26.0.5
Description
An authenticated user with System Administrator privileges can trigger a server-side request forgery (SSRF) through the WOPI service discovery URL. This allows access to internal hosts and ports, and the response body can be exfiltrated using the built-in debug system, resulting in a visible SSRF and enabling full server-side file read.
Recommendations
Update Group-Office to version 6.8.150 or later.
Update Group-Office to version 25.0.82 or later.
Update Group-Office to version 26.0.5 or later.
Exploit
Correção
SSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Group-Office