CVE-2021-3318

MEDIUM

dzzoffice < 2.02.1 - Cross-Site Scripting via editorid Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3318. PoCs published by nu11secur1ty.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in DzzOffice 2.02.1 by automating login and injecting malicious scripts into admin settings. It uses Selenium to interact with the web interface and deploy payloads.

Description

attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.

Exploits (1)

exploitdb WORKING POC

by nu11secur1ty · pythonwebappsmultiple

https://www.exploit-db.com/exploits/49799

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in DzzOffice 2.02.1 by automating login and injecting malicious scripts into admin settings. It uses Selenium to interact with the web interface and deploy payloads.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: DzzOffice 2.02.1

Auth required

Prerequisites: Valid admin credentials · Access to the target web interface · Selenium and Chrome WebDriver installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/zyx0814/dzzoffice/issues/173

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162314/DzzOffice-2.02.1-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0285

EPSS Percentile 84.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

dzzoffice/dzzoffice < 2.02.1

Published Jan 27, 2021

Tracked Since Feb 18, 2026