Group-Office Authenticated Stored Cross-Site Scripting Vulnerability in Administrator Context

A stored cross-site scripting vulnerability has been identified in Group-Office, an enterprise customer relationship management and groupware tool. This issue affects versions prior to 26.0.25, 25.0.100, and 6.8.165. The vulnerability allows low-privileged authenticated users to inject arbitrary JavaScript payloads into an administrator's email font size setting. This is achieved by exploiting a cross-user setting write capability and a client-side sink in the email module that directly injects the font size setting into JavaScript without proper escaping. When the administrator accesses the Group-Office web client, the injected JavaScript is executed, leading to a compromise of the administrator's session and unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows authenticated low-privileged users to execute JavaScript in the context of an administrator's session, effectively compromising the administrator's account. This could lead to unauthorized access to privileged actions and data, including the ability to modify user roles and access sensitive information such as emails, files, notes, and calendar entries.

Reproduction

To reproduce this vulnerability, log in with a low-privileged account and send a POST request to 'index.php?r=core/saveSetting' with the 'name' parameter set to 'email_font_size', the 'value' parameter containing a JavaScript payload, and the 'user_id' parameter set to an administrator's user ID. Once the setting is saved, have the administrator open the GroupOffice web UI, which will trigger the execution of the injected JavaScript payload in their browser.

Remediation

Users can update to Group-Office versions 26.0.25, 25.0.100, or 6.8.165 to address this vulnerability.