Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injecti…

Group-Office, an enterprise CRM and groupware tool, contains an authenticated SQL injection vulnerability in the JMAP Contact/query endpoint. The vulnerability affects versions prior to 6.8.158, 25.0.92, and 26.0.17. Any authenticated user with basic addressbook access can exploit this flaw to extract arbitrary data from the database, including active session tokens of other users. This enables complete account takeover of any user, including System Administrators, without requiring password knowledge. The vulnerability has been patched in the specified versions.