{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33755/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","cve-2026-33755","group-office","jmap"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGroup-Office, an enterprise CRM and groupware tool, contains a critical SQL injection vulnerability affecting versions prior to 6.8.158, 25.0.92, and 26.0.17. The vulnerability resides in the JMAP \u003ccode\u003eContact/query\u003c/code\u003e endpoint. Any authenticated user with basic address book access can exploit this flaw to extract arbitrary data from the database. A successful exploit allows an attacker to retrieve sensitive information such as active session tokens belonging to other users. This can lead to complete account takeover, including the System Administrator account, without requiring the user\u0026rsquo;s password. Applying the security patches released in versions 6.8.158, 25.0.92, and 26.0.17 resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Group-Office application with a valid user account that has basic address book access privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JMAP \u003ccode\u003eContact/query\u003c/code\u003e request containing a SQL injection payload within a parameter processed by the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eThe Group-Office application processes the crafted request without proper sanitization, allowing the SQL injection payload to be executed against the database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection attack is successful, allowing the attacker to extract sensitive information, including session tokens, user credentials, or other privileged data, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the database response and identifies valid session tokens belonging to other users.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session token to hijack another user\u0026rsquo;s session, bypassing normal authentication procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the target user\u0026rsquo;s account, gaining unauthorized access to sensitive data and functionalities.\u003c/li\u003e\n\u003cli\u003eDepending on the compromised user\u0026rsquo;s privileges, the attacker can escalate privileges, access sensitive data, or perform administrative actions, leading to a complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to take over any account within the Group-Office system. The impact includes unauthorized access to sensitive customer data, financial records, and internal communications. System administrators are particularly at risk, as their compromise grants attackers full control over the Group-Office environment. This could lead to data breaches, service disruption, and reputational damage. The CVSS v3.1 base score is rated 8.8, highlighting the high severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Group-Office instances to version 6.8.158, 25.0.92, or 26.0.17 to patch CVE-2026-33755.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to the \u003ccode\u003e/jmap\u003c/code\u003e endpoint containing potentially malicious SQL syntax, as indicated in the rule \u0026ldquo;Group-Office Suspicious JMAP Contact Query\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Group-Office Potential Session Token Theft\u0026rdquo; to detect unauthorized access attempts using potentially stolen session tokens.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization measures to prevent SQL injection vulnerabilities in all web applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T15:16:57Z","date_published":"2026-03-27T15:16:57Z","id":"/briefs/2026-03-group-office-sqli/","summary":"An authenticated SQL Injection vulnerability in Group-Office's JMAP Contact/query endpoint allows data extraction, including session tokens, leading to account takeover if unpatched.","title":"Group-Office JMAP Contact/Query SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-group-office-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33755","version":"https://jsonfeed.org/version/1.1"}