DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
The vulnerability (CWE-434) is located in the /dzz/system/ueditor/php/controller.php script, which handles files uploaded through the UEditor editor. Lack of proper validation of the type and extension of uploaded files allows an attacker to upload an executable file (e.g., a PHP webshell) without needing permissions or user interaction. After successful upload, the malicious file can be executed by the web server.
An attacker can gain full control over the server through remote code execution (RCE), as well as steal, modify, or destroy data stored in the system (loss of confidentiality, integrity, and availability).
DzzOffice should be updated immediately to a version newer than 2.3.7 as soon as the vendor releases a patch. Until the patch is applied, it is recommended to restrict network access to the /dzz/system/ueditor/php/controller.php endpoint (e.g., through firewall rules or web server configuration) and disable file upload functionality in this feature. Patches available from the vendor should be applied according to the references.
DzzOffice version 2.3.7 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDzzoffice
APPDzzoffice≤ 2.3.7
Related vulnerabilities
SQL Injection w DzzOffice – krytyczna podatność w module zarządzania grupami
dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php.
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user ac...
The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security e...
There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XS...