zyx0814/dzzoffice

GitHub

github.com

Releases13

Frequency8 months 3 weeks

Last Release 5 months ago

Stars4.03K

dzzoffice

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-63693 ↗	Nov 18, 2025Tuesday, 18 November 2025, 19:15	5.4 MEDIUM	—
The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.
CVE-2025-63695 ↗	Nov 18, 2025Tuesday, 18 November 2025, 18:16	9.8 CRITICAL	—
DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
CVE-2025-63694 ↗	Nov 18, 2025Tuesday, 18 November 2025, 18:16	9.8 CRITICAL	—
DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
CVE-2024-41376 ↗	Aug 5, 2024Monday, 5 August 2024, 17:15	8.8 HIGH	—
dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php.
CVE-2024-29273 ↗	Mar 22, 2024Friday, 22 March 2024, 04:15	6.1 MEDIUM	—
There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document.
CVE-2021-30203 ↗	Jun 27, 2023Tuesday, 27 June 2023, 14:15	6.1 MEDIUM	—
A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML.
CVE-2021-30205 ↗	Jun 27, 2023Tuesday, 27 June 2023, 14:15	5.3 MEDIUM	—
Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.
CVE-2022-43340 ↗	Oct 27, 2022Thursday, 27 October 2022, 20:15	8.8 HIGH	—
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.
CVE-2021-43673 ↗	Dec 3, 2021Friday, 3 December 2021, 12:15	6.1 MEDIUM	4.3 MEDIUM
dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of the exit function is printed for the user via exit(json_encode($return)).
CVE-2021-40292 ↗	Oct 12, 2021Tuesday, 12 October 2021, 18:15	5.4 MEDIUM	3.5 LOW
A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.
CVE-2021-40191 ↗	Oct 11, 2021Monday, 11 October 2021, 14:15	5.4 MEDIUM	3.5 LOW
Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php.
CVE-2020-19703 ↗	Aug 26, 2021Thursday, 26 August 2021, 03:15	6.1 MEDIUM	4.3 MEDIUM
A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2021-3318 ↗	Jan 27, 2021Wednesday, 27 January 2021, 18:15	6.1 MEDIUM	4.3 MEDIUM
attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.