An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php
{
"unresolved_ranges": [
{
"source": "DESCRIPTION",
"extracted_events": [
{
"fixed": "v.25.0.47"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/63xxx/CVE-2025-63406.json",
"cna_assigner": "mitre"
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "6.8.136"
},
{
"introduced": "25.0.1"
},
{
"fixed": "25.0.47"
}
]
}