CVE-2025-48366

CVSS v4.0

7.9

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.119 and 25.0.20

Description A stored and blind XSS issue exists in the Phone Number field of the user profile within the Group-Office application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution without user interaction.

Recommendations For versions prior to 6.8.119, update to version 6.8.119 or later. For versions prior to 25.0.20, update to version 25.0.20 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-87CWE-79

Related Identifiers

CVE-2025-48366

GHSA-PHHQ-3H8F-QXPX

Affected Products

Group-Office

CVE-2025-48366

Weakness Enumeration

Related Identifiers

Affected Products

References · 7