CVE-2026-30238 Overview
Group-Office is an enterprise customer relationship management and groupware tool developed by Intermesh. A reflected Cross-Site Scripting (XSS) vulnerability exists in the external/index flow of Group-Office. The f parameter, which contains Base64-encoded JSON data, is decoded and injected into an inline JavaScript block without proper escaping. This allows attackers to craft malicious URLs containing </script><script>...</script> payloads that execute arbitrary JavaScript in the victim's browser when clicked.
Critical Impact
Attackers can exploit this vulnerability to steal session cookies, hijack user accounts, perform actions on behalf of authenticated users, or redirect victims to malicious sites by crafting specially encoded URLs.
Affected Products
- Intermesh Group-Office versions prior to 6.8.155
- Intermesh Group-Office versions prior to 25.0.88
- Intermesh Group-Office versions prior to 26.0.10
Discovery Timeline
- 2026-03-06 - CVE-2026-30238 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30238
Vulnerability Analysis
This reflected XSS vulnerability occurs due to improper output encoding in the external/index endpoint of Group-Office. When the application processes the f parameter, it performs Base64 decoding on JSON data and directly injects the decoded content into an inline JavaScript block within the HTML response. The lack of strict escaping allows attackers to break out of the existing script context and inject their own malicious JavaScript code.
The vulnerability follows the classic reflected XSS pattern where user-supplied input is immediately reflected in the server response without adequate sanitization. Since the injection point is within an inline JavaScript block, attackers can use script tag closing sequences followed by new script tags to achieve code execution.
Root Cause
The root cause is insufficient input validation and output encoding when handling the Base64-encoded f parameter in the external/index flow. The application fails to properly escape special characters that have syntactic meaning in HTML/JavaScript contexts, specifically the </script> sequence that allows breaking out of the current script block.
Attack Vector
This is a network-based attack requiring user interaction. An attacker must craft a malicious URL containing a specially crafted f parameter with Base64-encoded payload that includes script injection sequences. The attacker then delivers this URL to victims through phishing emails, social media, or other channels. When a victim clicks the malicious link while authenticated to Group-Office, the injected JavaScript executes in their browser session with full access to their session context.
The attack leverages the f parameter's Base64 encoding to obfuscate the malicious payload, potentially bypassing basic URL inspection. Once decoded by the server, the payload breaks out of the legitimate script context using </script> and introduces a new script block with attacker-controlled code.
Detection Methods for CVE-2026-30238
Indicators of Compromise
- Suspicious HTTP requests to /external/index endpoints containing unusually long or encoded f parameters
- Base64-decoded parameter values containing HTML/JavaScript tags such as <script> or </script>
- Web server logs showing repeated access to external/index with varying encoded payloads from the same source
- User reports of unexpected browser behavior after clicking Group-Office related links
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing script injection patterns in Base64-encoded parameters
- Monitor HTTP access logs for suspicious patterns in the f parameter targeting the external/index endpoint
- Deploy browser-based XSS detection tools to identify attempts to execute injected scripts
- Review Content Security Policy (CSP) violation reports for script execution from inline sources
Monitoring Recommendations
- Enable detailed logging for all requests to the external/index endpoint
- Configure alerting for anomalous request patterns or parameter sizes to the affected endpoint
- Monitor for CSP violations that may indicate XSS exploitation attempts
- Track authentication events following visits to external/index to identify potential session hijacking
How to Mitigate CVE-2026-30238
Immediate Actions Required
- Upgrade Group-Office to patched versions 6.8.155, 25.0.88, or 26.0.10 immediately
- Implement Content Security Policy headers to restrict inline script execution
- Deploy web application firewall rules to filter malicious input patterns
- Educate users about the risks of clicking untrusted links to the Group-Office application
Patch Information
Intermesh has released security patches addressing this vulnerability in Group-Office versions 6.8.155, 25.0.88, and 26.0.10. Organizations should upgrade to the appropriate patched version based on their current deployment branch. For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory GHSA-7p2f-c33m-rv5v.
Workarounds
- Implement a reverse proxy or WAF rule to sanitize or block requests to /external/index containing suspicious encoded content
- Configure Content Security Policy headers with script-src 'self' to prevent inline script execution
- Restrict access to the external/index endpoint to trusted IP ranges or authenticated users only where feasible
- Consider temporarily disabling the affected endpoint if it is not critical to operations until patching is complete
# Example Content Security Policy header configuration (Apache)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
