Group-Office Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Group-Office version 6.8.99. This issue arises because user input in the Name field is not adequately sanitized before being saved, allowing malicious JavaScript to be executed later. The vulnerability is present in the history module, where the injected script can run when an administrative user views the changes made by the affected user.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user viewing the history, potentially leading to session hijacking, phishing attacks, or malware distribution. Since the history page is accessible to administrative users, an attacker could gain elevated privileges and further compromise the system.

Reproduction

To reproduce this vulnerability, log into the Group-Office portal as a user and change the name to include a malicious JavaScript payload, such as an image tag with an 'onerror' event. Then, log in as an admin in a different browser and navigate to the 'History' section. Click on the 'Changes' column to view the updates, which will trigger the execution of the injected JavaScript.

Remediation

Users can update to Group-Office version 6.8.100, where this vulnerability has been patched.