{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30238", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T17:23:59.798Z", "datePublished": "2026-03-06T21:14:03.149Z", "dateUpdated": "2026-03-09T20:54:28.592Z"}, "containers": {"cna": {"title": "Group-Office: Reflected XSS in JavaScript context", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.155", "status": "affected"}, {"version": "< 25.0.88", "status": "affected"}, {"version": "< 26.0.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:14:03.149Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}], "source": {"advisory": "GHSA-7p2f-c33m-rv5v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30238", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:44:43.774910Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:28.592Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30238", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:44:43.774910Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:47:28.305Z"}}], "cna": {"title": "Group-Office: Reflected XSS in JavaScript context", "source": {"advisory": "GHSA-7p2f-c33m-rv5v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": "< 6.8.155"}, {"status": "affected", "version": "< 25.0.88"}, {"status": "affected", "version": "< 26.0.10"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T21:14:03.149Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30238", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:28.592Z", "dateReserved": "2026-03-04T17:23:59.798Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T21:14:03.149Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "matchCriteriaId": "415D8E7D-4453-4E5A-A217-075E542202CD", "versionEndExcluding": "6.8.155", "vulnerable": true}, {"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2B89827-16A4-41F5-8D9A-5F88E49B716F", "versionEndExcluding": "25.0.88", "versionStartIncluding": "25.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8AD3E6F-A69E-4CE5-9580-386D5EC22E51", "versionEndExcluding": "26.0.10", "versionStartIncluding": "25.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript block without strict escaping, allowing </script><script>...</script> injection and arbitrary JavaScript execution in the victim's browser. This issue has been patched in versions 6.8.155, 25.0.88, and 26.0.10."}, {"lang": "es", "value": "Group-Office es una herramienta empresarial de gesti\u00f3n de relaciones con los clientes y groupware. Antes de las versiones 6.8.155, 25.0.88 y 26.0.10, existe una vulnerabilidad XSS reflejada en GroupOffice en el flujo externo/\u00edndice. El par\u00e1metro f (Base64 JSON) se decodifica y luego se inyecta en un bloque JavaScript en l\u00ednea sin un escape estricto, lo que permite la inyecci\u00f3n y la ejecuci\u00f3n arbitraria de JavaScript en el navegador de la v\u00edctima. Este problema se ha corregido en las versiones 6.8.155, 25.0.88 y 26.0.10."}], "id": "CVE-2026-30238", "lastModified": "2026-03-11T13:32:48.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T22:16:01.437", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-7p2f-c33m-rv5v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.8.155)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.0.88)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.0.10)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "groupoffice", "source": "cna", "vendor": "Intermesh"}, "product": "group-office", "vendor": "intermesh"}], "analysis": {"en": {"generated_at": "2026-04-16T11:09:09.243307+00:00", "value": {"mitigation_remediation": ["Apply the Intermesh vendor patch by upgrading to Group\u2011Office version 6.8.155, 25.0.88, or 26.0.10 or later.", "Deploy a web application firewall rule to block or sanitize the f query parameter on the external/index endpoint.", "Configure a strict Content Security Policy that disallows inline script execution and limits script sources to trusted domains."], "summary": {"action": "Patch", "impact": "Reflected XSS enabling arbitrary JavaScript execution in users' browsers"}, "threat_synthesis": {"affected_systems": "The flaw affects Intermesh Group\u2011Office installations running any version prior to 6.8.155, 25.0.88, or 26.0.10. All components that expose the external/index endpoint are impacted; newer releases beyond those specified already contain the patch.", "description_and_impact": "Group\u2011Office exposes a reflected cross\u2011site scripting flaw in its external index interface. A parameter named f \u2013 which carries Base64\u2011encoded JSON \u2013 is decoded and injected directly into an inline JavaScript block without proper escaping. By crafting a payload that closes the existing script block, injects new script tags, and reopens the block, an attacker can execute arbitrary JavaScript on a victim\u2019s browser when the vulnerable URL is visited. The vulnerability is classified as CWE\u201179 and allows an attacker to run client\u2011side code, potentially hijacking user sessions, exfiltrating data, or delivering phishing content.\n\nThe flaw is a client\u2011side only compromise; it does not grant the attacker server\u2011side privileges or direct access to system resources.\n\nThe risk is moderate: the CVSS base score is 5.1, and the EPSS score is below 1%, indicating low probability of exploitation. At present the flaw is not in the CISA KEV catalog, and there is no public exploitation evidence. An attacker would need to convince a user to visit a maliciously crafted URL (e.g., phishing or social engineering).", "risk_and_exploitability": "Attackers can exploit the flaw remotely by directing a victim to a forged external/index URL with a maliciously crafted f parameter. Because the input is unescaped in JavaScript, the attacker can inject code that runs in the victim\u2019s browser context. Compromise requires user interaction, i.e., the victim browsing the crafted link. Given the low EPSS score, realistic exploitation will be rare unless the organization is targeted by a sophisticated attacker who can lure users to the malicious URL. The CVSS score of 5.1 indicates a medium severity risk that can compromise confidentiality and integrity of client data, but it does not provide a remote code execution vector or direct server access."}}}}, "created": "2026-03-09T10:06:49.534056+00:00", "updated": "2026-04-16T11:15:27.685372+00:00", "vendors": ["intermesh", "intermesh$PRODUCT$group-office"]}