CVE-2022-4984

N/A Unknown
Published: November 13, 2025 Modified: November 14, 2025
View on NVD

Description

ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login
Source: disclosure@vulncheck.com
https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html
Source: disclosure@vulncheck.com
https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html
Source: disclosure@vulncheck.com
https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html
Source: disclosure@vulncheck.com
https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html
Source: disclosure@vulncheck.com

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.2%
45th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-89

Related CVEs

CVE-2026-0824 3.5
CVE-2026-0822 6.3
CVE-2025-13393 4.3
CVE-2025-12379 6.4
CVE-2026-0821 7.3