Search criteria
12 vulnerabilities by group-office
CVE-2025-53505 (GCVE-0-2025-53505)
Vulnerability from cvelistv5 – Published: 2025-08-21 04:29 – Updated: 2025-08-21 15:46
VLAI?
Summary
Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed.
Severity ?
4.3 (Medium)
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Intermesh BV | Group-Office |
Affected:
prior to 6.8.119
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T15:46:29.265569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:46:36.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Group-Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to 6.8.119"
}
]
},
{
"product": "Group-Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to 25.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T04:29:44.539Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.group-office.com/"
},
{
"url": "https://jvn.jp/en/jp/JVN72111431/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-53505",
"datePublished": "2025-08-21T04:29:44.539Z",
"dateReserved": "2025-07-01T07:31:26.725Z",
"dateUpdated": "2025-08-21T15:46:36.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53504 (GCVE-0-2025-53504)
Vulnerability from cvelistv5 – Published: 2025-08-21 04:29 – Updated: 2025-08-21 15:47
VLAI?
Summary
Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Intermesh BV | Group-Office |
Affected:
prior to 6.8.119
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T15:46:55.592527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:47:02.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Group-Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to 6.8.119"
}
]
},
{
"product": "Group-Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to 25.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T04:29:14.292Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.group-office.com/"
},
{
"url": "https://jvn.jp/en/jp/JVN72111431/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-53504",
"datePublished": "2025-08-21T04:29:14.292Z",
"dateReserved": "2025-07-01T07:31:26.725Z",
"dateUpdated": "2025-08-21T15:47:02.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25191 (GCVE-0-2025-25191)
Vulnerability from cvelistv5 – Published: 2025-03-06 18:41 – Updated: 2025-03-06 20:35
VLAI?
Title
Group-Office has a Stored XSS Vulnerability via user's name field
Summary
Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.100
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25191",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T20:35:01.606030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T20:35:12.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise CRM and groupware tool. This Stored XSS vulnerability exists where user input in the Name field is not properly sanitized before being stored. This vulnerability is fixed in 6.8.100."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T18:41:00.761Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-j7p3-v652-p3gf"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/c5c83e19a5cdf93b0e758726c97597861f1d6eda"
}
],
"source": {
"advisory": "GHSA-j7p3-v652-p3gf",
"discovery": "UNKNOWN"
},
"title": "Group-Office has a Stored XSS Vulnerability via user\u0027s name field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25191",
"datePublished": "2025-03-06T18:41:00.761Z",
"dateReserved": "2025-02-03T19:30:53.399Z",
"dateUpdated": "2025-03-06T20:35:12.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23941 (GCVE-0-2024-23941)
Vulnerability from cvelistv5 – Published: 2024-02-01 03:56 – Updated: 2025-06-04 15:25
VLAI?
Summary
Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Intermesh BV | Group Office |
Affected:
prior to v6.6.182
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-05T18:46:18.532239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T15:25:00.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.group-office.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN63567545/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Group Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to v6.6.182"
}
]
},
{
"product": "Group Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to v6.7.64"
}
]
},
{
"product": "Group Office",
"vendor": "Intermesh BV",
"versions": [
{
"status": "affected",
"version": "prior to v6.8.31"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T03:56:12.231Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/Intermesh/groupoffice/"
},
{
"url": "https://www.group-office.com/"
},
{
"url": "https://jvn.jp/en/jp/JVN63567545/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-23941",
"datePublished": "2024-02-01T03:56:12.231Z",
"dateReserved": "2024-01-24T01:34:18.418Z",
"dateUpdated": "2025-06-04T15:25:00.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22418 (GCVE-0-2024-22418)
Vulnerability from cvelistv5 – Published: 2024-01-18 20:44 – Updated: 2025-06-17 21:19
VLAI?
Title
Stored Cross-site Scripting Vulnerability via Malicious File Names in GroupOffice
Summary
Group-Office is an enterprise CRM and groupware tool. Affected versions are subject to a vulnerability which is present in the file upload mechanism of Group Office. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For instance, using a filename such as “><img src=x onerror=prompt('XSS')>.jpg” triggers the vulnerability. When this file is uploaded, the JavaScript code within the filename is executed. This issue has been addressed in version 6.8.29. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.29
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-p7w9-h6c3-wqpp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-p7w9-h6c3-wqpp"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/2a52a5d42d080db6738d70eba30294bcd94ebd09",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/commit/2a52a5d42d080db6738d70eba30294bcd94ebd09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-19T17:02:28.558815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:22.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.29"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise CRM and groupware tool. Affected versions are subject to a vulnerability which is present in the file upload mechanism of Group Office. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file\u0027s name. For instance, using a filename such as \u201c\u003e\u003cimg src=x onerror=prompt(\u0027XSS\u0027)\u003e.jpg\u201d triggers the vulnerability. When this file is uploaded, the JavaScript code within the filename is executed. This issue has been addressed in version 6.8.29. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-18T20:44:57.229Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-p7w9-h6c3-wqpp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-p7w9-h6c3-wqpp"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/2a52a5d42d080db6738d70eba30294bcd94ebd09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/2a52a5d42d080db6738d70eba30294bcd94ebd09"
}
],
"source": {
"advisory": "GHSA-p7w9-h6c3-wqpp",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting Vulnerability via Malicious File Names in GroupOffice"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22418",
"datePublished": "2024-01-18T20:44:57.229Z",
"dateReserved": "2024-01-10T15:09:55.552Z",
"dateUpdated": "2025-06-17T21:19:22.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46730 (GCVE-0-2023-46730)
Vulnerability from cvelistv5 – Published: 2023-11-07 17:35 – Updated: 2024-09-04 15:56
VLAI?
Title
Server-Side Request Forgery in groupoffice
Summary
Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.4 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intermesh | groupoffice |
Affected:
>= 6.3.0, < 6.6.177
Affected: >= 6.7.0, < 6.7.54 Affected: >= 6.8.0, < 6.8.15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "group-office",
"vendor": "intermesh",
"versions": [
{
"lessThan": "6.6.177",
"status": "affected",
"version": "6.30",
"versionType": "custom"
},
{
"lessThan": "6.7.54",
"status": "affected",
"version": "6.70",
"versionType": "custom"
},
{
"lessThan": "6.8.15",
"status": "affected",
"version": "6.80",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46730",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T15:52:27.981201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:56:13.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.3.0, \u003c 6.6.177"
},
{
"status": "affected",
"version": "\u003e= 6.7.0, \u003c 6.7.54"
},
{
"status": "affected",
"version": "\u003e= 6.8.0, \u003c 6.8.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T17:35:36.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-vw6c-h82w-mvfv"
},
{
"name": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/commit/99205535e8cec6592fd7f1469837926f27c72d50"
}
],
"source": {
"advisory": "GHSA-vw6c-h82w-mvfv",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in groupoffice "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46730",
"datePublished": "2023-11-07T17:35:36.332Z",
"dateReserved": "2023-10-25T14:30:33.751Z",
"dateUpdated": "2024-09-04T15:56:13.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25292 (GCVE-0-2023-25292)
Vulnerability from cvelistv5 – Published: 2023-04-27 00:00 – Updated: 2025-01-31 19:07
VLAI?
Summary
Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://group-office.com"
},
{
"tags": [
"x_transferred"
],
"url": "http://intermesh.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/brainkok/CVE-2023-25292"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25292",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T19:06:41.682893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T19:07:54.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-27T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://group-office.com"
},
{
"url": "http://intermesh.com"
},
{
"url": "https://github.com/brainkok/CVE-2023-25292"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-25292",
"datePublished": "2023-04-27T00:00:00.000Z",
"dateReserved": "2023-02-06T00:00:00.000Z",
"dateUpdated": "2025-01-31T19:07:54.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28060 (GCVE-0-2021-28060)
Vulnerability from cvelistv5 – Published: 2021-04-14 16:11 – Updated: 2024-08-03 21:33
VLAI?
Summary
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-ssrf.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fatihhcelik.github.io/posts/Group-Office-CRM-SSRF/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T16:11:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-ssrf.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fatihhcelik.github.io/posts/Group-Office-CRM-SSRF/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-ssrf.html",
"refsource": "MISC",
"url": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-ssrf.html"
},
{
"name": "https://fatihhcelik.github.io/posts/Group-Office-CRM-SSRF/",
"refsource": "MISC",
"url": "https://fatihhcelik.github.io/posts/Group-Office-CRM-SSRF/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28060",
"datePublished": "2021-04-14T16:11:18",
"dateReserved": "2021-03-08T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35418 (GCVE-0-2020-35418)
Vulnerability from cvelistv5 – Published: 2021-04-14 16:11 – Updated: 2024-08-04 17:02
VLAI?
Summary
Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:07.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-stored-xss-via-svg-file.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T16:11:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-stored-xss-via-svg-file.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35418",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-stored-xss-via-svg-file.html",
"refsource": "MISC",
"url": "https://fatihhcelik.blogspot.com/2020/12/group-office-crm-stored-xss-via-svg-file.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35418",
"datePublished": "2021-04-14T16:11:16",
"dateReserved": "2020-12-14T00:00:00",
"dateUpdated": "2024-08-04T17:02:07.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35419 (GCVE-0-2020-35419)
Vulnerability from cvelistv5 – Published: 2021-04-14 16:11 – Updated: 2024-08-04 17:02
VLAI?
Summary
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:08.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fatihhcelik.github.io/posts/Group-Office-CRM-Stored-XSS-via-SVG-File/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T16:11:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fatihhcelik.github.io/posts/Group-Office-CRM-Stored-XSS-via-SVG-File/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35419",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fatihhcelik.github.io/posts/Group-Office-CRM-Stored-XSS-via-SVG-File/",
"refsource": "MISC",
"url": "https://fatihhcelik.github.io/posts/Group-Office-CRM-Stored-XSS-via-SVG-File/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35419",
"datePublished": "2021-04-14T16:11:14",
"dateReserved": "2020-12-14T00:00:00",
"dateUpdated": "2024-08-04T17:02:08.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4240 (GCVE-0-2012-4240)
Vulnerability from cvelistv5 – Published: 2014-09-11 14:00 – Updated: 2024-08-06 20:28
VLAI?
Summary
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:28:07.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "21056",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/21056"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.reactionpenetrationtesting.co.uk/group-office-sqli.html"
},
{
"name": "groupoffice-json-sort-sql-injection(78253)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78253"
},
{
"name": "55383",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55383"
},
{
"name": "20120903 Group-Office Calendar SQL Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0011.html"
},
{
"name": "85171",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/85171"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "21056",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/21056"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.reactionpenetrationtesting.co.uk/group-office-sqli.html"
},
{
"name": "groupoffice-json-sort-sql-injection(78253)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78253"
},
{
"name": "55383",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/55383"
},
{
"name": "20120903 Group-Office Calendar SQL Injection",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0011.html"
},
{
"name": "85171",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/85171"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4240",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "21056",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/21056"
},
{
"name": "http://www.reactionpenetrationtesting.co.uk/group-office-sqli.html",
"refsource": "MISC",
"url": "http://www.reactionpenetrationtesting.co.uk/group-office-sqli.html"
},
{
"name": "groupoffice-json-sort-sql-injection(78253)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78253"
},
{
"name": "55383",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/55383"
},
{
"name": "20120903 Group-Office Calendar SQL Injection",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-09/0011.html"
},
{
"name": "85171",
"refsource": "OSVDB",
"url": "http://osvdb.org/85171"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4240",
"datePublished": "2014-09-11T14:00:00",
"dateReserved": "2012-08-09T00:00:00",
"dateUpdated": "2024-08-06T20:28:07.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-2720 (GCVE-0-2007-2720)
Vulnerability from cvelistv5 – Published: 2007-05-16 19:00 – Updated: 2024-08-07 13:49
VLAI?
Summary
Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:49:57.276Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "25369",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25369"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/project/shownotes.php?release_id=498556\u0026group_id=76359"
},
{
"name": "ADV-2007-1773",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/1773"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://group-office.svn.sourceforge.net/viewvc/group-office?view=rev\u0026revision=261"
},
{
"name": "23925",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/23925"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2007-06-01T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "25369",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25369"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/project/shownotes.php?release_id=498556\u0026group_id=76359"
},
{
"name": "ADV-2007-1773",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/1773"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://group-office.svn.sourceforge.net/viewvc/group-office?view=rev\u0026revision=261"
},
{
"name": "23925",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/23925"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-2720",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "25369",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25369"
},
{
"name": "http://sourceforge.net/project/shownotes.php?release_id=498556\u0026group_id=76359",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/project/shownotes.php?release_id=498556\u0026group_id=76359"
},
{
"name": "ADV-2007-1773",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/1773"
},
{
"name": "http://group-office.svn.sourceforge.net/viewvc/group-office?view=rev\u0026revision=261",
"refsource": "MISC",
"url": "http://group-office.svn.sourceforge.net/viewvc/group-office?view=rev\u0026revision=261"
},
{
"name": "23925",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/23925"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-2720",
"datePublished": "2007-05-16T19:00:00",
"dateReserved": "2007-05-16T00:00:00",
"dateUpdated": "2024-08-07T13:49:57.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}