CVE-2022-4984
HIGH EXPLOITEDZenTao <6.5/<3.0/<16.5/<16.5.beta1 - SQL Injection
Title source: llmExploitation Summary
CVE-2022-4984 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.
References (6)
Core 6
Core References
Various Sources government-resource
vdb-entry
https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
Various Sources patch
https://www.zentao.pm/download/zentao-community-edition-release-65-1171.html
Various Sources patch
https://www.zentao.pm/download/zentao-community-edition-release-30-1172.html
Various Sources patch
https://www.zentao.pm/download/zentao-community-edition-release-165-1170.html
Various Sources patch
https://www.zentao.pm/download/zentao-community-edition-release-1651-1143.html
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-edition-sqli-via-user-login
Scores
CVSS v4
8.7
EPSS
0.0044
EPSS Percentile
35.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2025-11-13
CWE
CWE-89
Status
published
Products (4)
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Biz
< 6.5
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Max
< 3.0
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Open Source Edition
< 16.5
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Open Source Edition
< 16.5.beta1
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026