Dzzoffice
by Dzzoffice
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-63695 | Cri | 0.64 | 9.8 | 0.00 | Nov 18, 2025 | DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. | ||
| CVE-2025-63694 | Cri | 0.64 | 9.8 | 0.00 | Nov 18, 2025 | DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. | ||
| CVE-2022-43340 | Hig | 0.57 | 8.8 | 0.00 | Oct 27, 2022 | A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. | ||
| CVE-2023-39853 | Med | 0.42 | 6.5 | 0.01 | Jan 6, 2024 | SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module. | ||
| CVE-2024-29273 | Med | 0.40 | 6.1 | 0.00 | Mar 22, 2024 | There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document. | ||
| CVE-2021-30203 | Med | 0.40 | 6.1 | 0.01 | Jun 27, 2023 | A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML. | ||
| CVE-2020-19703 | Med | 0.40 | 6.1 | 0.01 | Aug 26, 2021 | A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||
| CVE-2025-63693 | Med | 0.35 | 5.4 | 0.00 | Nov 18, 2025 | The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or… | ||
| CVE-2021-40292 | Med | 0.35 | 5.4 | 0.01 | Oct 12, 2021 | A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter. | ||
| CVE-2021-30205 | Med | 0.34 | 5.3 | 0.01 | Jun 27, 2023 | Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames. |
- risk 0.64cvss 9.8epss 0.00
DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
- risk 0.64cvss 9.8epss 0.00
DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
- risk 0.57cvss 8.8epss 0.00
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.
- risk 0.42cvss 6.5epss 0.01
SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module.
- risk 0.40cvss 6.1epss 0.00
There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document.
- risk 0.40cvss 6.1epss 0.01
A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML.
- risk 0.40cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- risk 0.35cvss 5.4epss 0.00
The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or…
- risk 0.35cvss 5.4epss 0.01
A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.
- risk 0.34cvss 5.3epss 0.01
Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.