CVE-2024-22418

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.29

Description The issue is related to the file upload mechanism in Group-Office, allowing an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For example, using a filename such as "><img src=x onerror=prompt('XSS')>.jpg" can trigger this issue. When such a file is uploaded, the JavaScript code within the filename is executed.

Recommendations For versions prior to 6.8.29, upgrade to version 6.8.29 or later to address the issue. As a temporary workaround, consider restricting file uploads or validating filenames to prevent the execution of embedded JavaScript code. Avoid using filenames that contain potentially executable code until the issue is resolved.