Dzzoffice · Dzzoffice · CVE-2021-40191
**Name of the Vulnerable Software and Affected Versions**
Dzzoffice version 2.02.1
**Description**
The issue is related to cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in `webroot/dzz/attach/Uploader.class.php` and a wrong response in content-type of output data in `webroot/dzz/attach/controller.php`.
**Recommendations**
For Dzzoffice version 2.02.1, ensure proper sanitization of input data in the upload functions within `Uploader.class.php` and correct the response content-type in `controller.php` to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.