CVE-2022-4984

HIGH EXPLOITED

ZenTao <6.5/<3.0/<16.5/<16.5.beta1 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-4984 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.

Scores

CVSS v4 8.7
EPSS 0.0044
EPSS Percentile 35.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2025-11-13
CWE
CWE-89
Status published
Products (4)
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Biz < 6.5
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Max < 3.0
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Open Source Edition < 16.5
Qingdao Esoft Tianchuang Network Technology Co., Ltd./ZenTao Open Source Edition < 16.5.beta1
Published Nov 13, 2025
Tracked Since Feb 18, 2026