CRITICAL🇵🇱 Wersja polska

CVE-2025-63694

CVSS 9.8v3.1pub. 2025-11-18upd. 2025-11-20

DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.

🤖 AI Analysis
How it works

The vulnerability consists of insufficient validation and sanitization of input data passed to SQL queries in the group management module (explorer/groupmanage). An attacker can inject malicious SQL code into request parameters, resulting in the application executing unintended operations on the database. Due to the network vector (AV:N) and no authentication requirements (PR:N) or user interaction (UI:N), the attack can be conducted remotely by any individual.

Impact

An attacker can gain full access to data stored in the database, modify or delete any data, and in favorable configurations also cause a system availability breach. CVSS indicates complete violation of confidentiality, integrity, and availability.

Mitigation & patch

Patches available from the vendor should be applied according to references. As a temporary workaround, it is recommended to restrict network access to the DzzOffice instance to trusted IP addresses only and monitor database queries for anomalies.

Who is affected

DzzOffice version 2.3.7 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dzzoffice

    APP
    Dzzoffice
    ≤ 2.3.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-63695CRITICAL9.8PL ✓ten sam produkt

Dowolne przesyłanie plików w DzzOffice — krytyczna podatność RCE

CVE-2024-41376HIGH8.8ten sam produkt

dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php.

CVE-2022-43340HIGH8.8ten sam produkt

A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user ac...

CVE-2025-63693MEDIUM5.4ten sam produkt

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security e...

CVE-2024-29273MEDIUM6.1ten sam produkt

There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XS...

CVE-2025-63694 — Dzzoffice — CRITICAL — CVSS 9.8 | CVEbaza.pl