Group-Office Cross-Site Scripting Vulnerability in Task Comments

A persistent Cross-Site Scripting (XSS) vulnerability has been identified in Group-Office versions through 6.8.118 and 25.0.119. This issue resides in the tasks comment functionality, where the application fails to properly sanitize image filenames before displaying them. Attackers can exploit this by uploading an image with a crafted filename containing XSS payloads. When the task is viewed by administrators or other users, the malicious JavaScript executes in their browser context, potentially leading to theft of sensitive information.

Impact

Exploitation of this vulnerability allows for persistent Cross-Site Scripting, where injected JavaScript is executed in the context of the user viewing the task. This could result in session hijacking, compromise of administrative accounts, theft of CSRF tokens, and execution of phishing attacks within the application. Additionally, the vulnerability could be exploited to distribute malware.

Reproduction

To reproduce this vulnerability, log in as a regular user and create a new task. In the comment section, attach an image file named with a crafted XSS payload, such as an image file with an 'onerror' event. After sending the comment, the XSS payload will execute.

Remediation

Users can update to Group-Office versions 6.8.119 or 25.0.20, where this vulnerability has been patched.