Group-Office Reflected Cross-Site Scripting Vulnerability in Installer License Page

A reflected cross-site scripting vulnerability has been identified in the Group-Office installer, specifically in the endpoint 'install/license.php'. This issue affects versions prior to 26.0.10, 25.0.88, and 6.8.155. The vulnerability arises because the POST field 'license' is rendered without proper escaping inside a <textarea>, allowing for a breakout and execution of injected script content. The flaw has been addressed in the mentioned patched versions.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the Group-Office installer and navigate to the license installation page. In the License key field, enter a payload that includes a closing </textarea> tag followed by a <script> tag, such as '</textarea><script>alert(1)</script><textarea>'. This injection exploits the lack of HTML encoding by breaking out of the <textarea> context and executing the script.

Remediation

Users can update to Group-Office versions 26.0.10, 25.0.88, or 6.8.155 to address this vulnerability.