Dzzoffice

dzzoffice

Vendor: Dzzoffice • 14 CVEs

CVEs (14)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-63693 1Dzzoffice 1Dzzoffice Nov 20, 2025 Nov 18, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows lo...Show more The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.Show less
CVE-2025-63695 1Dzzoffice 1Dzzoffice Nov 20, 2025 Nov 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
CVE-2025-63694 1Dzzoffice 1Dzzoffice Nov 20, 2025 Nov 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
CVE-2024-41376 1Dzzoffice 1Dzzoffice Nov 20, 2025 Aug 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php.
CVE-2024-29273 1Dzzoffice 1Dzzoffice Jun 17, 2025 Mar 22, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document.
CVE-2023-39853 1Dzzoffice 1Dzzoffice Jun 16, 2025 Jan 6, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module.
CVE-2021-30205 1Dzzoffice 1Dzzoffice Dec 5, 2024 Jun 27, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.
CVE-2021-30203 1Dzzoffice 1Dzzoffice Nov 21, 2024 Jun 27, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML.
CVE-2022-43340 1Dzzoffice 1Dzzoffice May 12, 2025 Oct 27, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.
CVE-2021-43673 1Dzzoffice 1Dzzoffice Nov 21, 2024 Dec 3, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of the exit function is printed for the user via exit(json_encode($return)).
CVE-2021-40292 1Dzzoffice 1Dzzoffice Nov 21, 2024 Oct 12, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.
CVE-2021-40191 1Dzzoffice 1Dzzoffice Nov 21, 2024 Oct 11, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type...Show more Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php.Show less
CVE-2020-19703 1Dzzoffice 1Dzzoffice Nov 21, 2024 Aug 26, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2021-3318 1Dzzoffice 1Dzzoffice Nov 21, 2024 Jan 27, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.