Kh0Kamoni

**Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.0 **Description A stored and blind cross-site scripting (XSS) issue exists in the form title field. An attacker can inject JavaScript without authentication via a form title, which is saved in the backend database. When a user visits the affected page, the JavaScript payload is executed. The vulnerability occurs because the application stores malicious user input in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding. The attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user views the page that displays this title, the malicious script executes in their browser context. A proof of concept involves visiting a specific form URL, injecting a script into the 'Name of the event' and 'Description' fields, and saving the record. The payload is then executed when anyone visits the diary record. **Recommendations Update to YesWiki version 4.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions prior to 6.8.123 and 25.0.27 **Description** The issue is related to a reflected cross-site scripting (XSS) attack. A malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. **Recommendations** For versions prior to 6.8.123, update to version 6.8.123 or later. For versions prior to 25.0.27, update to version 25.0.27 or later. As a temporary workaround, consider restricting access to the Look and Feel formatting fields until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions prior to 6.8.123 Group-Office versions prior to 25.0.27 **Description** A stored and blind cross-site scripting (XSS) issue exists in the Name Field of the user profile. An attacker can change their name to a javascript payload, which is executed when a user adds the malicious user to their Synchronization > Address books. **Recommendations** For versions prior to 6.8.123, update to version 6.8.123 or later. For versions prior to 25.0.27, update to version 25.0.27 or later. As a temporary workaround, consider restricting the ability to add users to the Synchronization > Address books until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions prior to 6.8.119 and 25.0.20 **Description** A stored and blind XSS issue exists in the Phone Number field of the user profile within the Group-Office application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution without user interaction. **Recommendations** For versions prior to 6.8.119, update to version 6.8.119 or later. For versions prior to 25.0.20, update to version 25.0.20 or later.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions prior to 6.8.119 Group-Office versions prior to 25.0.20 **Description** A DOM-based Cross-Site Scripting (XSS) issue exists in the Group-Office application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. **Recommendations** For versions prior to 6.8.119, update to version 6.8.119 or later to resolve the issue. For versions prior to 25.0.20, update to version 25.0.20 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions prior to 6.8.119 and 25.0.20 **Description** The issue is a persistent Cross-Site Scripting (XSS) vulnerability in Group-Office's tasks comment functionality. This allows attackers to execute arbitrary JavaScript by uploading a file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. **Recommendations** For versions prior to 6.8.119, update to version 6.8.119 or later to resolve the issue. For versions prior to 25.0.20, update to version 25.0.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the tasks comment functionality until a patch is applied.