VYPR

Dzzoffice

by Dzzoffice

CVEs (10)

  • CVE-2025-63695CriNov 18, 2025
    risk 0.64cvss 9.8epss 0.00

    DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.

  • CVE-2025-63694CriNov 18, 2025
    risk 0.64cvss 9.8epss 0.00

    DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.

  • CVE-2022-43340HigOct 27, 2022
    risk 0.57cvss 8.8epss 0.00

    A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.

  • CVE-2023-39853MedJan 6, 2024
    risk 0.42cvss 6.5epss 0.01

    SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module.

  • CVE-2024-29273MedMar 22, 2024
    risk 0.40cvss 6.1epss 0.00

    There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document.

  • CVE-2021-30203MedJun 27, 2023
    risk 0.40cvss 6.1epss 0.01

    A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2020-19703MedAug 26, 2021
    risk 0.40cvss 6.1epss 0.01

    A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2025-63693MedNov 18, 2025
    risk 0.35cvss 5.4epss 0.00

    The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or…

  • CVE-2021-40292MedOct 12, 2021
    risk 0.35cvss 5.4epss 0.01

    A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.

  • CVE-2021-30205MedJun 27, 2023
    risk 0.34cvss 5.3epss 0.01

    Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.