SQL Injection Vulnerability in ZenTao Products by ZenTao Technology
CVE-2022-4984

8.7HIGH

Key Information:

Vendor

Qingdao Esoft Tianchuang Network Technology Co., Ltd.

Status
Zentao Biz
Zentao Max
Zentao Open Source Edition
Vendor
CVE Published:
13 November 2025

What is CVE-2022-4984?

The vulnerability in ZenTao products stems from improper validation of the account parameter during the login process. This weakness enables remote unauthenticated attackers to execute malicious SQL queries, potentially granting them access to sensitive information stored in the backend database. This can include confidential user details and application data, which poses significant risks to organizations relying on these versions of ZenTao software. Prompt action is advised to mitigate the exposure.

Affected Version(s)

ZenTao Biz 0 < 6.5

ZenTao Max 0 < 3.0

ZenTao Open Source Edition 0 < 16.5

References

https://www.cnvd.org.cn/flaw/show/CNVD-2022-42853
government-resourcevdb-entry
https://www.zentao.pm/download/zentao-community-edition-r...
patch
https://www.zentao.pm/download/zentao-community-edition-r...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2022-4984 : SQL Injection Vulnerability in ZenTao Products by ZenTao Technology