Summary
A stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution—without user interaction.
Affected Component
- Phone Number Field in User Profile > Communication
Vulnerability Type
- Stored Cross-Site Scripting (XSS)
- Blind XSS
Steps to Reproduce (PoC)
-
Login as Admin
- Navigate to
System Settings > Users.
- Add two users:
user1 and user2 using the +Add button.
-
Inject XSS Payload
-
Logout from admin and login as user1.
-
Go to My Account > Profile > Communication.
-
Click Add Phone Number and insert the following payload:
<img src=0 onerror="window.location='#summary'">
-
Save the entry.
-
Trigger Blind XSS
- Logout and login as
user2.
- Navigate to the Address Book.
- The stored XSS payload is executed automatically, causing a redirect to the
#summary URL fragment.
Impact
-
Forced Redirects
Users are redirected to unintended fragments or pages without their knowledge.
-
Unauthorized Fetch Requests
Using <img onerror> or other techniques, an attacker can send background requests from the user’s browser to external domains or internal endpoints.
-
Data Theft / Session Hijacking / Account Manipulation
With a more advanced payload, an attacker could exfiltrate session data or perform actions on behalf of users.
-
Wide Impact Across Users
As phone numbers are visible in the Address Book, any user who views the malicious phone number will trigger the payload, making it highly scalable.
Recommendation
- Input Validation & Output Encoding
Sanitize input on all fields, especially those rendered to other users. Escape or encode HTML entities before rendering.
kh0kamoni Reporter
Summary
A stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution—without user interaction.
Affected Component
Vulnerability Type
Steps to Reproduce (PoC)
Login as Admin
System Settings > Users.user1anduser2using the +Add button.Inject XSS Payload
Logout from admin and login as
user1.Go to
My Account > Profile > Communication.Click Add Phone Number and insert the following payload:
Save the entry.
Trigger Blind XSS
user2.#summaryURL fragment.Impact
Forced Redirects
Users are redirected to unintended fragments or pages without their knowledge.
Unauthorized Fetch Requests
Using
<img onerror>or other techniques, an attacker can send background requests from the user’s browser to external domains or internal endpoints.Data Theft / Session Hijacking / Account Manipulation
With a more advanced payload, an attacker could exfiltrate session data or perform actions on behalf of users.
Wide Impact Across Users
As phone numbers are visible in the Address Book, any user who views the malicious phone number will trigger the payload, making it highly scalable.
Recommendation
Sanitize input on all fields, especially those rendered to other users. Escape or encode HTML entities before rendering.