Executive Summary

CVE-2026-45551 is an authenticated stored cross-site scripting (XSS) vulnerability in GroupOffice, an enterprise CRM and groupware tool. It arises from two issues: first, authenticated users can write arbitrary legacy settings for any user, including administrators, without proper authorization checks. Second, the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these, a low-privileged user can overwrite an administrator's email_font_size setting with malicious JavaScript code. When the administrator loads the GroupOffice web client, this code executes in their browser, leading to stored XSS.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a low-privileged authenticated user to escalate privileges to administrator level by executing arbitrary JavaScript in the administrator's browser. The attacker can fully compromise the administrator's session, perform privileged actions such as accessing or modifying sensitive data, managing users, resetting passwords, and changing system configurations. Essentially, it can lead to a complete administrator account takeover.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your GroupOffice installation is running a vulnerable version prior to 26.0.25, 25.0.100, or 6.8.165. Additionally, monitoring for unusual requests to the endpoint `index.php?r=core/saveSetting` by authenticated users may indicate attempts to exploit the issue.

You can look for suspicious changes to the `email_font_size` setting for administrator user IDs, which could indicate an injected JavaScript payload.

While no specific commands are provided in the resources, you might use web server logs or application logs to search for POST requests to `index.php?r=core/saveSetting` with parameters targeting administrator user IDs.

• Example command to search web server logs for suspicious requests (adjust log path accordingly):
• grep 'index.php?r=core/saveSetting' /var/log/apache2/access.log | grep 'user_id=admin'
• Check database or application settings for unexpected JavaScript code in the `email_font_size` setting for administrator accounts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade GroupOffice to a fixed version: 26.0.25, 25.0.100, or 6.8.165 or later.

Until the upgrade can be performed, restrict access to the GroupOffice application to trusted users only, especially limiting low-privileged authenticated users who could exploit the vulnerability.

Monitor and audit changes to user settings, particularly the `email_font_size` setting for administrator accounts, to detect and remove any malicious payloads.

Consider applying web application firewall (WAF) rules to block suspicious requests to `index.php?r=core/saveSetting` that attempt to modify settings for other users.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows low-privileged authenticated users to execute stored cross-site scripting (XSS) attacks in the context of an administrator, leading to full administrator account takeover.

Such an account takeover can enable unauthorized access to sensitive data, modification of user accounts, and changes to system configurations.

Because of these impacts, the vulnerability could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate protection of sensitive personal and health information from unauthorized access and modification.

Specifically, the ability to compromise administrator accounts and access or alter sensitive data may result in breaches of confidentiality, integrity, and accountability controls required by these regulations.

Useful 0 Not Useful 0