Summary

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM.

Details

The issue lies in the way user input is reflected into the DOM without proper sanitization. Specifically, user-supplied input is inserted into the page and rendered in a way that allows JavaScript execution via the onerror attribute of an <img> tag.

This kind of issue often arises when the application uses innerHTML or similar DOM-manipulation APIs directly with untrusted input. Although the exact vulnerable source code has not been identified, it appears that some page or component in GroupOffice reflects user-controlled data into the DOM unsafely.

PoC

1. Login to the GroupOffice application.

2. Go to any date input field, like Calender

3. Click on +Add button.

4. Inject the following payload into a date field that is immediately rendered into the DOM:

   <img src=x onerror=alert(1)>

Impact

• Steal sensitive data (cookies, localStorage, session tokens)
• Perform actions as the victim user (CSRF escalation)
• Redirect to phishing pages
• Deface application contents