2026-03-06 21:14:03
GitHub_M
PUBLISHED
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing injection and arbitrary JavaScript execution in the victims browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10.