Dzzoffice: >> Dzzoffice >> 2.01 Security Vulnerabilities
The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-18
DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-18
DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-18
SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-01-06
attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2021-01-27