CVE-2025-48369 – Group-Office Cross-Site Scripting (XSS) Vulnerability in Tasks Comment Functionality

May 22, 2025

CVE ID : CVE-2025-48369

Published : May 22, 2025, 6:15 p.m. | 36 minutes ago

Description : Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice’s tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2024-13952 – ASPECT Predictable Filename Information Disclosure

Next Article CVE-2025-48366 – Group-Office Stored Blind XSS Vulnerability

CodeSOD: A Unique Way to Primary Key

BrowserStack launches Figma plugin for detecting accessibility issues in design phase

Parasoft brings agentic AI to service virtualization in latest release

Node.js vs. Python for Backend: 7 Reasons C-Level Leaders Choose Node.js Talent

The best CRM software with email marketing in 2025: Expert tested and reviewed

This multi-port car charger can power 4 gadgets at once – and it’s surprisingly cheap

I’m a wearables editor and here are the 7 Pixel Watch 4 rumors I’m most curious about

8 ways I quickly leveled up my Linux skills – and you can too

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

Zero Trust & Cybersecurity Mesh: Your Org’s Survival Guide

Execute Ping Commands and Get Back Structured Data in PHP

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

“I don’t think I changed his mind” — NVIDIA CEO comments on H20 AI GPU sales resuming in China following a meeting with President Trump

Galaxy Z Fold 7 review: Six years later — Samsung finally cracks the foldable code

CVE-2025-48369 – Group-Office Cross-Site Scripting (XSS) Vulnerability in Tasks Comment Functionality

CVE-2025-44658 – Netgear RAX30 PHP-FPM Misconfigured Extension Bypass Vulnerability

CVE-2025-7393 – Drupal Mail Login Authentication Bypass

Google’s popular AI tool gets its own Android app – how to use NotebookLM on your phone

CVE-2025-32959 – CUBA Platform Denial of Service File Upload Vulnerability

CVE-2025-5688 – Microsoft Windows DNS Buffer Overflow Vulnerability

CVE-2025-4551 – ContiNew Admin Cross Site Scripting Vulnerability

CVE-2025-3807 – Zhenfeng13 My-BBS Unrestricted File Upload Vulnerability

SyncSDE: A Probabilistic Framework for Task-Adaptive Diffusion Synchronization in Collaborative Generation

A Step-by-Step Coding Guide to Building a Gemini-Powered AI Startup Pitch Generator Using LiteLLM Framework, Gradio, and FPDF in Google Colab with PDF Export Support

CVE-2025-7216 – “Lty628 Aidigu PHP Object Handler Deserialization Vulnerability”

CVE-2025-48369 – Group-Office Cross-Site Scripting (XSS) Vulnerability in Tasks Comment Functionality

Related Posts