PatchSiren cyber security CVE debrief

CVE-2026-45551 Intermesh CVE debrief

GroupOffice versions prior to 26.0.25, 25.0.100, and 6.8.165 contain a stored cross-site scripting (XSS) vulnerability arising from the combination of two weaknesses. First, the application allows authenticated users to persist arbitrary legacy settings for any user_id via the index.php?r=core/saveSetting endpoint without proper authorization checks. Second, the email module's client-side code injects the email_font_size setting directly into JavaScript without adequate escaping. A low-privileged authenticated attacker can exploit this by overwriting an administrator's email_font_size setting with a crafted JavaScript payload. When the administrator loads the GroupOffice web client, specifically views/Extjs3/modulescripts.php, the malicious script executes in their browser context. This vulnerability was published on 2026-05-29 and carries a CVSS 4.0 score of 5.1 (MEDIUM severity). The issue has been remediated in versions 26.0.25, 25.0.100, and 6.8.165.

Vendor: Intermesh
Product: groupoffice
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations running GroupOffice CRM/groupware deployments with multiple user privilege levels, particularly those with external or low-trust user accounts. Security teams responsible for web application security in enterprise collaboration environments. Administrators of GroupOffice instances prior to the patched versions.

Technical summary

The vulnerability chain begins with an authorization bypass in the core settings save functionality (index.php?r=core/saveSetting), which fails to validate that the authenticated user is authorized to modify settings for the specified target user_id. This allows any authenticated user to overwrite settings belonging to other users, including administrators. The second component is a DOM-based XSS sink in the email module where the email_font_size configuration value is interpolated into JavaScript source code without proper escaping or sanitization. An attacker with any valid account can set an administrator's email_font_size to a payload such as a JavaScript string terminator followed by arbitrary script content. When the administrator subsequently loads the GroupOffice interface and the modulescripts.php resource is requested, the poisoned setting is retrieved and embedded into the response, causing execution in the administrator's browser session. The attack requires user interaction (administrator login and page load) but grants script execution in the privileged context of the targeted administrator account.

Defensive priority

medium

Recommended defensive actions

Upgrade GroupOffice to version 26.0.25, 25.0.100, or 6.8.165 or later to remediate this vulnerability
Review and implement principle of least privilege for settings modification endpoints
Audit user settings for unexpected or malicious values, particularly email_font_size configurations
Implement output encoding for all user-controlled values injected into JavaScript contexts
Consider additional input validation on the saveSetting endpoint to prevent cross-user setting modification

Evidence notes

Vulnerability description confirms authenticated attack vector requiring low privileges. CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and user interaction required. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-639 (Authorization Bypass Through User-Controlled Key) identified as applicable weaknesses.

Official resources

2026-05-29