CVE-2025-63693

Published: Nov 18, 2025Modified: Nov 20, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.

Affected (1)

Products: Dzzoffice: Dzzoffice

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dzzoffice Dzzoffice	Up to 2.3.7

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://github.com/Yohane-Mashiro/dzzoffice_xss

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://github.com/zyx0814/dzzoffice/issues/363

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.