Server-Side Request Forgery in groupoffice
CVE-2023-46730

7.4HIGH

Key Information:

Vendor: Intermesh
Status: Groupoffice
Vendor: CVE Published:; 7 November 2023

What is CVE-2023-46730?

Group-Office, a popular CRM and groupware solution, has a vulnerability in the /api/upload.php endpoint that allows Server-Side Request Forgery (SSRF). This flaw enables malicious users to exploit the system and make requests to untrusted domains without proper validation of URLs, potentially leading to unauthorized access to sensitive information. Additionally, the exploit can manipulate file protocols to access server disks. To mitigate risks, users are strongly advised to upgrade to versions 6.8.15, 6.7.54, or 6.6.177 as there are no available workarounds.

Affected Version(s)

groupoffice >= 6.3.0, < 6.6.177 < 6.3.0, 6.6.177

groupoffice >= 6.7.0, < 6.7.54 < 6.7.0, 6.7.54

groupoffice >= 6.8.0, < 6.8.15 < 6.8.0, 6.8.15

References

https://github.com/Intermesh/groupoffice/security/advisor...

x_refsource_CONFIRM

https://github.com/Intermesh/groupoffice/commit/99205535e...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2023
Vulnerability Reserved
Oct 25, 2023

JSON