Shodan
Vulnerabilities
Vulnerable Software
Group-Office:  Security Vulnerabilities
CVE-2023-46730
Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
7.4
EPSS Score
0.006
Published
2023-11-07
CVE-2023-25292
Reflected Cross Site Scripting (XSS) in Intermesh BV Group-Office version 6.6.145, allows attackers to gain escalated privileges and gain sensitive information via the GO_LANGUAGE cookie.
CVSS Score
6.1
EPSS Score
0.008
Published
2023-04-27
CVE-2020-35419
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVSS Score
6.1
EPSS Score
0.007
Published
2021-04-14
CVE-2021-28060
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVSS Score
5.3
EPSS Score
0.014
Published
2021-04-14
CVE-2020-35418
Cross Site Scripting (XSS) in the contact page of Group Office CRM 6.4.196 by uploading a crafted svg file.
CVSS Score
5.4
EPSS Score
0.005
Published
2021-04-14
CVE-2012-4240
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.
CVSS Score
6.5
EPSS Score
0.012
Published
2014-09-11
CVE-2007-2720
Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/. NOTE: some of these details are obtained from third party information.
CVSS Score
4.3
EPSS Score
0.011
Published
2007-05-16


Products
Pricing
Contact Us

Shodan ® - All rights reserved