CVE-2022-4984

CVE-2022-4984 is an SQL injection vulnerability affecting multiple ZenTao editions, including Biz < 6.5, Max < 3.0, and Open Source Edition < 16.5 (and < 16.5.beta1). The flaw resides in the /zentao/user-login.html endpoint, where the account parameter is not properly validated before being incorporated into a database query. This lack of sanitization enables an attacker to inject arbitrary SQL expressions during the login process [1].

Exploitation can be carried out by a remote, unauthenticated attacker. By sending specially crafted HTTP requests to the login page with malicious account values, the attacker can manipulate the underlying SQL query. No previous authentication or special network access is required, making the attack surface broad and easily reachable over the internet [1].

Successful exploitation allows an attacker to execute crafted SQL statements, leading to the retrieval of sensitive information from the backend database. This includes user credentials, application data, and other internal records. The Shadowserver Foundation observed exploitation activity on 2025-02-07 UTC, confirming that the vulnerability is actively being targeted [1].

Patches are available through the official ZenTao update channels. Users of affected versions should upgrade to ZenTao Biz 6.5 or later, ZenTao Max 3.0 or later, or ZenTao Open Source Edition 16.5 (or the latest stable release) to remediate the issue. Organizations should also review logs for signs of unauthorized access or data exfiltration [1].