Shodan
Vulnerabilities
Vulnerable Software
Dzzoffice:  >> Dzzoffice  >> 2.02.1  Security Vulnerabilities
CVE-2025-63693
The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-18
CVE-2025-63694
DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-18
CVE-2025-63695
DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-18
CVE-2024-41376
dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php.
CVSS Score
8.8
EPSS Score
0.029
Published
2024-08-05
CVE-2021-30203
A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML.
CVSS Score
6.1
EPSS Score
0.013
Published
2023-06-27
CVE-2021-30205
Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-06-27
CVE-2022-43340
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.
CVSS Score
8.8
EPSS Score
0.001
Published
2022-10-27
CVE-2021-43673
dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of the exit function is printed for the user via exit(json_encode($return)).
CVSS Score
6.1
EPSS Score
0.002
Published
2021-12-03
CVE-2021-40292
A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-10-12
CVE-2021-40191
Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-11


Products
Pricing
Contact Us

Shodan ® - All rights reserved