CVE-2025-48369 – Group-Office Cross-Site Scripting (XSS) Vulnerability in Tasks Comment Functionality

May 22, 2025

CVE ID : CVE-2025-48369

Published : May 22, 2025, 6:15 p.m. | 36 minutes ago

Description : Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a persistent Cross-Site Scripting (XSS) vulnerability exists in Groupoffice’s tasks comment functionality, allowing attackers to execute arbitrary JavaScript by uploading an file with a crafted filename. When administrators or other users view the task containing this malicious file, the payload executes in their browser context. The application fails to sanitize image filenames before rendering them in the comment. By uploading an image with a crafted filename containing XSS payloads, attackers can steal sensitive information. Versions 6.8.119 and 25.0.20 contain a fix for the issue.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2024-13952 – ASPECT Predictable Filename Information Disclosure

Next Article CVE-2025-48366 – Group-Office Stored Blind XSS Vulnerability

Sunshine And March Vibes (2025 Wallpapers Edition)

The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Prevent WordPress SQL Injection Attacks

SteamOS is officially not just for Steam Deck anymore — now ready for Lenovo Legion Go S and sort of ready for the ROG Ally

Microsoft’s latest AI model can accurately forecast the weather: “It doesn’t know the laws of physics, so it could make up something completely crazy”

OpenAI scientists wanted “a doomsday bunker” before AGI surpasses human intelligence and threatens humanity

My favorite gaming service is 40% off right now (and no, it’s not Xbox Game Pass)

A timeline of JavaScript’s history

A timeline of JavaScript’s history

Loading JSON Data into Snowflake From Local Directory

Streamline Conditional Logic with Laravel’s Fluent Conditionable Trait

SteamOS is officially not just for Steam Deck anymore — now ready for Lenovo Legion Go S and sort of ready for the ROG Ally

SteamOS is officially not just for Steam Deck anymore — now ready for Lenovo Legion Go S and sort of ready for the ROG Ally

Microsoft’s latest AI model can accurately forecast the weather: “It doesn’t know the laws of physics, so it could make up something completely crazy”

OpenAI scientists wanted “a doomsday bunker” before AGI surpasses human intelligence and threatens humanity

CVE-2025-48369 – Group-Office Cross-Site Scripting (XSS) Vulnerability in Tasks Comment Functionality

Nmap 7.96 Launches with Lightning-Fast DNS and 612 Scripts

CVE-2025-47535 – Opal Woo Custom Product Variation Path Traversal

Light Leak Transitions, Effects & Templates

Hiring Kit: Chief Digital Officer

The new Outlook will be forced onto Windows 10 PCs next month, and there is no way to block it

300 Servers and €3.5M Seized as Europol Strikes Ransomware Networks Worldwide

4 ways you can start using gen AI to its full potential

LongPO: Enhancing Long-Context Alignment in LLMs Through Self-Optimized Short-to-Long Preference Learning

Hate ChatGPT’s model picker? So do we, and so does OpenAI

Top 5 Scariest Zombie Botnets

CVE-2025-48369 – Group-Office Cross-Site Scripting (XSS) Vulnerability in Tasks Comment Functionality

Related Posts