dzzoffice 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk sql injection, and vendor risk csrf に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and vendor impact data exposure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-63693 | The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up. | [email protected] | 5.4 | 0.02% | 2025-11-18 | 2025-11-20 |
| CVE-2025-63695 | DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. | [email protected] | 9.8 | 0.05% | 2025-11-18 | 2025-11-20 |
| CVE-2025-63694 | DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. | [email protected] | 9.8 | 0.05% | 2025-11-18 | 2025-11-20 |
| CVE-2024-41376 | dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php. | [email protected] | 8.8 | 2.87% | 2024-08-05 | 2025-11-20 |
| CVE-2024-29273 | There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document. | [email protected] | 6.1 | 0.09% | 2024-03-22 | 2025-06-17 |
| CVE-2023-39853 | SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module. | [email protected] | 6.5 | 0.17% | 2024-01-06 | 2025-06-16 |
| CVE-2021-30205 | Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames. | [email protected] | 5.3 | 0.17% | 2023-06-27 | 2024-12-05 |
| CVE-2021-30203 | A reflected cross-site scripting (XSS) vulnerability in the zero parameter of dzzoffice 2.02.1_SC_UTF8 allows attackers to execute arbitrary web scripts or HTML. | [email protected] | 6.1 | 0.90% | 2023-06-27 | 2024-11-21 |
| CVE-2022-43340 | A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. | [email protected] | 8.8 | 0.13% | 2022-10-27 | 2025-05-12 |
| CVE-2021-43673 | dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of the exit function is printed for the user via exit(json_encode($return)). | [email protected] | 6.1 | 0.21% | 2021-12-03 | 2024-11-21 |
| CVE-2021-40292 | A Stored Cross Site Sripting (XSS) vulnerability exists in DzzOffice 2.02.1 via the settingnew parameter. | [email protected] | 5.4 | 0.26% | 2021-10-12 | 2024-11-21 |
| CVE-2021-40191 | Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php. | [email protected] | 5.4 | 0.18% | 2021-10-11 | 2024-11-21 |
| CVE-2020-19703 | A cross-site scripting (XSS) vulnerability in the referer parameter of Dzzoffice 2.02 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | [email protected] | 6.1 | 0.20% | 2021-08-26 | 2024-11-21 |
| CVE-2021-3318 | attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter. | [email protected] | 6.1 | 0.30% | 2021-01-27 | 2024-11-21 |