Group-Office Stored Blind Cross-Site Scripting Vulnerability in User Profile Phone Number Field

A stored and blind cross-site scripting (XSS) vulnerability has been identified in the Phone Number field of the user profile within Group-Office, an enterprise customer relationship management and groupware tool. This vulnerability exists in versions through 6.8.118 and 20.0.119. It allows malicious actors to inject persistent JavaScript payloads that are executed in the context of another user when they view the Address Book. Exploitation of this vulnerability could lead to forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution without user interaction.

Impact

Exploitation of this vulnerability allows for forced redirects, unauthorized fetch requests, and arbitrary JavaScript execution without user interaction. The impact is amplified by the blind nature of the XSS, as the payload executes automatically when the affected phone number is viewed in the Address Book. Additionally, with a more advanced payload, an attacker could exfiltrate session data or perform actions on behalf of users.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to 'System Settings > Users'. Add two users, 'user1' and 'user2'. Log out and log in as 'user1', then go to 'My Account > Profile > Communication'. Add a phone number by injecting an XSS payload, such as an image tag with an 'onerror' event, and save the entry. After logging out and logging in as 'user2', navigate to the Address Book to trigger the stored XSS payload, which will execute and redirect to the specified URL fragment.

Remediation

Group-Office versions 6.8.119 and 25.0.20 include a fix for this vulnerability. For users on affected versions, updating to a patched version is recommended.