CVE-2022-4984

CVSS

No CVSS.

Z

enTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.

References

Link	Resource
https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login
https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html
https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html
https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html
https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html

Configurations

No configuration.

History

13 Nov 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-13 20:15

Updated : 2025-11-14 16:42

NVD link : CVE-2022-4984

Mitre link : CVE-2022-4984

CVE.ORG link : CVE-2022-4984

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2022-4984", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-13T20:15:46.853", "references": [{"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login", "source": "[email protected]"}, {"url": "https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html", "source": "[email protected]"}, {"url": "https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html", "source": "[email protected]"}, {"url": "https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html", "source": "[email protected]"}, {"url": "https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC."}], "lastModified": "2025-11-14T16:42:03.187", "sourceIdentifier": "[email protected]"}