Skip to main content

Dzzoffice CVE-2022-43340

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2022-10-27 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 27, 2022 - 20:15 nvd
HIGH 8.8

DescriptionNVD

A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.

AnalysisAI

A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. Affected products include: Dzzoffice.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2024-41376 HIGH POC
8.8 Aug 05

dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php. Rated high severity (CVSS 8.8), this vul

CVE-2023-39853 MEDIUM POC
6.5 Jan 06

SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the d

CVE-2024-29273 MEDIUM POC
6.1 Mar 22

There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload

CVE-2021-43673 MEDIUM POC
6.1 Dec 03

dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. Rated medium sev

CVE-2021-3318 MEDIUM POC
6.1 Jan 27

attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter. Rated medium severity (CVSS 6.1), thi

CVE-2021-40292 MEDIUM POC
5.4 Oct 12

A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter. Rated medium s

CVE-2021-40191 MEDIUM POC
5.4 Oct 11

Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all up

CVE-2025-63693 MEDIUM POC
5.4 Nov 18

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping fo

CVE-2025-63695 CRITICAL POC
9.8 Nov 18

DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. Rated crit

CVE-2025-63694 CRITICAL POC
9.8 Nov 18

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. Rated critical severity (CVSS 9.8),

Share

CVE-2022-43340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy