This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Group Office suffers from **Unsafe Deserialization** in the `AbstractSettingsCollection` model.β¦
π¦ **Affected Versions**: - Group Office **6.8.156** and earlier - Group Office **25.0.90** and earlier - Group Office **26.0.12** and earlier π’ **Vendor**: Intermesh (Group Office).
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: - **Remote Code Execution (RCE)**: Run arbitrary commands on the server. - **Arbitrary File Write**: Modify or create files on the filesystem. - **Full System Compromise**: High impact on Coβ¦
π **Exploitation Threshold**: **Medium**. The CVSS vector `PR:L` indicates **Privileges Required**. An attacker likely needs **authenticated access** to the Group Office application to trigger the deserialization flaw.β¦
π΅οΈ **Public Exploit Status**: **No**. The `pocs` field is empty. While GitHub advisories exist, there are no confirmed public Proof-of-Concept (PoC) exploits or widespread wild exploitation reported yet.
Q7How to self-check? (Features/Scanning)
π **Self-Check Method**: 1. Check your Group Office version against the affected list. 2. Scan for the `AbstractSettingsCollection` class usage in custom modules. 3.β¦
β **Official Fix**: **Yes**. Patches are available in the following releases: - v6.8.156 - v25.0.90 - v26.0.12 π **Reference**: [GitHub Advisory GHSA-h22j-frrf-5vxq](https://github.com/Intermesh/groupoffice/security/adviβ¦
β‘ **Urgency**: **HIGH**. Despite requiring authentication, the impact is **Critical** (RCE + File Write). CVSS score is high (`H` for all metrics).β¦