CVE-2025-63693 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-63693?

CVE-2025-63693 has a CVSS score of 5.4 (MEDIUM). This is a cross-site scripting (XSS) vulnerability in DzzOffice 2.3.x that allows low-privilege attackers to inject malicious JavaScript into comment editing templates. When victims open the editing pop-up, the attacker's code executes in their browser context. All DzzOffice 2.3.x installations with comment functionality enabled are affected.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in DzzOffice 2.3.x that allows low-privilege attackers to inject malicious JavaScript into comment editing templates. When victims open the editing pop-up, the attacker's code executes in their browser context. All DzzOffice 2.3.x installations with comment functionality enabled are affected.

💻 Affected Systems

Products:

DzzOffice

Versions: 2.3.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires comment functionality to be enabled and users with comment editing permissions.

📦 What is this software?

Dzzoffice by Dzzoffice

View all CVEs affecting Dzzoffice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, defacement of comments, or limited account compromise through social engineering.

🟢

If Mitigated

With proper Content Security Policy (CSP) and input validation, impact reduces to minor UI manipulation or limited data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires low-privilege authenticated access. Public GitHub repositories demonstrate proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor official DzzOffice repositories for security updates. 2. Apply proper output escaping in dzz/comment/template/edit_form.htm. 3. Sanitize user inputs before rendering in HTML/JavaScript contexts.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources and prevent inline JavaScript execution.

Add to web server config: Content-Security-Policy: script-src 'self'

Disable Comment Editing

all

Temporarily disable comment editing functionality until patch is available.

Modify DzzOffice configuration to remove comment editing permissions

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in comment parameters
Restrict user permissions to minimize who can create/edit comments

🔍 How to Verify

Check if Vulnerable:

Test by creating a comment with JavaScript payload like <script>alert('XSS')</script> and checking if it executes when editing.

Check Version:

Check DzzOffice version in admin panel or configuration files

Verify Fix Applied:

Verify that user inputs are properly escaped in edit_form.htm template and JavaScript payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual comment creation/editing patterns
JavaScript or HTML tags in comment content logs

Network Indicators:

POST requests to comment endpoints with script tags or JavaScript code

SIEM Query:

source="web_logs" AND (uri="/dzz/comment" OR uri="/edit_form") AND (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2025-63693

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-94

EPSS Score: 0.04% exploit probability (10.6th percentile)

Published: November 18, 2025

Last Updated: November 20, 2025

🔗 References

https://github.com/Yohane-Mashiro/dzzoffice_xss Issue Tracking,Third Party Advisory
https://github.com/zyx0814/dzzoffice/issues/363 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63693, you might also want to check these: