Skip to main content

Dzzoffice CVE-2021-40292

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-10-12 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 12, 2021 - 18:15 nvd
MEDIUM 5.4

DescriptionNVD

A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter.

AnalysisAI

A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter. Affected products include: Dzzoffice.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-43340 HIGH POC
8.8 Oct 27

A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and

CVE-2024-41376 HIGH POC
8.8 Aug 05

dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php. Rated high severity (CVSS 8.8), this vul

CVE-2023-39853 MEDIUM POC
6.5 Jan 06

SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the d

CVE-2024-29273 MEDIUM POC
6.1 Mar 22

There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload

CVE-2021-43673 MEDIUM POC
6.1 Dec 03

dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. Rated medium sev

CVE-2021-3318 MEDIUM POC
6.1 Jan 27

attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter. Rated medium severity (CVSS 6.1), thi

CVE-2021-40191 MEDIUM POC
5.4 Oct 11

Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all up

CVE-2025-63693 MEDIUM POC
5.4 Nov 18

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping fo

CVE-2025-63695 CRITICAL POC
9.8 Nov 18

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. Rated crit

CVE-2025-63694 CRITICAL POC
9.8 Nov 18

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. Rated critical severity (CVSS 9.8),

Share

CVE-2021-40292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy