CVE-2022-4984

ZenTao Biz < 6.5, Max < 3.0, & Open Source Edition 16.5/16.5beta1 SQL Injection via user-login.html

Description

ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.

INFO

Published Date :

2025-11-13T19:37:40.856Z

Last Modified :

2025-11-16T13:42:37.979Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2022-4984 vulnerability.

Vendors	Products
Easycorp	Zentao Biz Zentao Max Zentao Open Source Edition

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2022-4984.

URL	Resource
https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login
https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html
https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html
https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html
https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability