{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30237", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T17:23:59.798Z", "datePublished": "2026-03-06T21:13:33.925Z", "dateUpdated": "2026-03-09T20:54:28.748Z"}, "containers": {"cna": {"title": "Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.155", "status": "affected"}, {"version": "< 25.0.88", "status": "affected"}, {"version": "< 26.0.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:13:33.925Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}], "source": {"advisory": "GHSA-hchr-32xh-x5rx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30237", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:45:05.972907Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:28.748Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30237", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:45:05.972907Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:47:30.409Z"}}], "cna": {"title": "Group-Office: Self XSS in GroupOffice Installer License Page (install/license.php)", "source": {"advisory": "GHSA-hchr-32xh-x5rx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": "< 6.8.155"}, {"status": "affected", "version": "< 25.0.88"}, {"status": "affected", "version": "< 26.0.10"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:13:33.925Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30237", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:28.748Z", "dateReserved": "2026-03-04T17:23:59.798Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T21:13:33.925Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "matchCriteriaId": "415D8E7D-4453-4E5A-A217-075E542202CD", "versionEndExcluding": "6.8.155", "vulnerable": true}, {"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2B89827-16A4-41F5-8D9A-5F88E49B716F", "versionEndExcluding": "25.0.88", "versionStartIncluding": "25.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8AD3E6F-A69E-4CE5-9580-386D5EC22E51", "versionEndExcluding": "26.0.10", "versionStartIncluding": "25.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <textarea>, allowing a </textarea><script>...</script> breakout.. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}, {"lang": "es", "value": "Group-Office es una herramienta empresarial de gesti\u00f3n de relaciones con los clientes y groupware. Antes de las versiones 6.8.155, 25.0.88 y 26.0.10, existe una vulnerabilidad XSS reflejada en el instalador de GroupOffice, endpoint install/license.php. El campo POST license se representa sin escapar dentro de un , lo que permite una fuga . Este problema se ha corregido en las versiones 6.8.155, 25.0.88 y 26.0.10."}], "id": "CVE-2026-30237", "lastModified": "2026-03-11T13:33:49.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T22:16:01.283", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-hchr-32xh-x5rx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.8.155)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.0.88)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.0.10)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "groupoffice", "source": "cna", "vendor": "Intermesh"}, "product": "group-office", "vendor": "intermesh"}], "analysis": {"en": {"generated_at": "2026-04-16T11:09:24.738637+00:00", "value": {"mitigation_remediation": ["Upgrade GroupOffice to version 6.8.155, 25.0.88, or 26.0.10 or newer.", "Remove or restrict access to the installer pages in a production environment.", "Add server\u2011side input validation to the license parameter to escape or strip HTML before rendering."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting in GroupOffice installer"}, "threat_synthesis": {"affected_systems": "Intermesh GroupOffice versions earlier than 6.8.155, 25.0.88, and 26.0.10 are affected. The flaw resides in the install/license.php endpoint used during installation.", "description_and_impact": "A reflected XSS flaw exists in the installer license page of GroupOffice, where a POST variable is inserted into a textarea without escaping, permitting a CDATA break and arbitrary script execution. The vulnerability can be used to run malicious scripts in the browser of anyone who views the license page, potentially stealing session cookies or executing other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 2.1 indicates low severity, and the EPSS score of less than 1\u00a0% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the installer page, which normally exists only on a freshly provisioned server; therefore the attack surface is limited. Despite the low risk, the flaw permits user\u2011containing script injection and should be remediated promptly."}}}}, "created": "2026-03-09T10:06:50.453877+00:00", "updated": "2026-04-16T11:15:27.686230+00:00", "vendors": ["intermesh", "intermesh$PRODUCT$group-office"]}