CVE-2024-29273 is a stored cross-site scripting (XSS) vulnerability affecting dzzoffice version 2.02.1 SC UTF8. The vulnerability resides in the uploadfile parameter handled by index.php, where an attacker can upload an SVG document containing malicious JavaScript payloads. Because the payload is stored, it will be executed whenever a user accesses the affected page, leading to persistent XSS. This vulnerability stems from improper sanitization and validation of SVG content, allowing script injection within the SVG XML structure. The attack vector is network-based, requiring no authentication but does require user interaction to trigger the payload execution. The vulnerability impacts confidentiality and integrity by enabling attackers to steal session tokens, perform actions on behalf of users, or manipulate displayed content. Availability is not impacted. The CVSS 3.1 score is 6.1, indicating medium severity due to ease of exploitation and scope affecting user sessions. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed. The CWE classification is CWE-79, which covers improper neutralization of input leading to XSS.

This vulnerability can lead to unauthorized script execution in the browsers of users interacting with the vulnerable dzzoffice instance. Potential impacts include theft of authentication cookies or tokens, session hijacking, defacement of web content, and execution of arbitrary actions with the victim's privileges. For organizations, this could result in compromised user accounts, data leakage, and erosion of trust in the affected service. Since dzzoffice is a collaborative office platform, attackers could leverage this to manipulate documents or steal sensitive information. Although availability is not affected, the confidentiality and integrity impacts can be significant, especially in environments with sensitive or proprietary data. The lack of authentication requirement broadens the attack surface, allowing remote attackers to target any user who views the malicious SVG upload. This could facilitate targeted phishing campaigns or broader exploitation in organizations using dzzoffice.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict file upload types strictly, disallowing SVG uploads or any file types that can contain executable scripts. 2) Employ server-side sanitization of SVG files to remove any embedded scripts or potentially dangerous XML elements before storage or rendering. 3) Implement Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of XSS payloads. 4) Educate users to be cautious with unexpected or suspicious file uploads and links. 5) Monitor web server logs and application behavior for unusual upload activity or script execution attempts. 6) Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads in uploads. 7) Isolate or sandbox the affected application environment to limit lateral movement if exploitation occurs. 8) Regularly review and update security controls related to file handling and input validation. These measures will reduce the risk of exploitation while awaiting an official fix from the vendor.