DzzofficeCVEs & Vulnerabilities

14 CVEs affecting Dzzoffice products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

dzzoffice 14
CVE-2025-63693MEDIUM

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.

18 Nov 2025
5.4
CVSS
CVE-2025-63695CRITICAL

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.

18 Nov 2025
9.8
CVSS
CVE-2025-63694CRITICAL

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.

18 Nov 2025
9.8
CVSS
CVE-2024-41376HIGH

dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php.

5 Aug 2024
8.8
CVSS
CVE-2024-29273MEDIUM

There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document.

22 Mar 2024
6.1
CVSS
CVE-2023-39853MEDIUM

SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module.

6 Jan 2024
6.5
CVSS
CVE-2021-30205MEDIUM

Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.

27 Jun 2023
5.3
CVSS
CVE-2021-30203MEDIUM

A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML.

27 Jun 2023
6.1
CVSS
CVE-2022-43340HIGH

A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.

27 Oct 2022
8.8
CVSS
CVE-2021-43673MEDIUM

dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of the exit function is printed for the user via exit(json_encode($return)).

3 Dec 2021
6.1
CVSS
CVE-2021-40292MEDIUM

A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.

12 Oct 2021
5.4
CVSS
CVE-2021-40191MEDIUM

Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php.

11 Oct 2021
5.4
CVSS
CVE-2020-19703MEDIUM

A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

26 Aug 2021
6.1
CVSS
CVE-2021-3318MEDIUMpoc

attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.

27 Jan 2021
6.1
CVSS
← PrevPage 1 / 1Next →