VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 2, 2023· Updated Sep 17, 2024

CVE-2023-46475

CVE-2023-46475

Description

A stored XSS in ZenTao 18.3 allows authenticated users to inject arbitrary JavaScript into the project name field, executing in the browser of any viewer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS in ZenTao 18.3 allows authenticated users to inject arbitrary JavaScript into the project name field, executing in the browser of any viewer.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in ZenTao (zentaoPMS) version 18.3. An authenticated user can inject malicious JavaScript into the name field when creating a new project via the 'Project' endpoint [1], [2]. The injection occurs during the project creation process regardless of the selected management type (Scrum, Waterfall, Kanban, Agile+, Waterfall+). The injected payload is stored in the application and executed when the project data is rendered in the browser [2].

Exploitation

An attacker must have an authenticated session in ZenTao. By clicking the '+' button on the upper right-hand side and selecting 'Project', the attacker is presented with a management-type selection window. After selecting a management type, the 'Create Project' page appears. In the Name field, the attacker can input arbitrary JavaScript code (e.g., ``). Upon saving the project, the payload is stored and executed immediately, producing an alert box [2]. The attacker does not need any special privileges beyond a regular user account.

Impact

Successful exploitation results in the execution of the attacker's JavaScript in the context of any user who views the project (e.g., when browsing the project list or opening the project). This stored XSS can lead to session hijacking, credential theft, data exfiltration, or other client-side attacks. The CVSS v3.1 base score is 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) [2], indicating a medium severity with limited but exploitable confidentiality, integrity, and availability impact.

Mitigation

As of the publication date (2023-11-02), no official patch has been released for this vulnerability. The vendor (Easysoft) was notified but no fix has been confirmed. Users should sanitize the name field input or implement a content security policy (CSP) as a workaround. The software is open-source, so custom hardening is possible. The vulnerable version is ZenTao 18.3; earlier versions may also be affected. No entry in the CISA KEV list has been observed for this CVE [1], [2].

References
  1. GitHub - easysoft/zentaopms: Zentao is an agile(scrum) project management system/tool, Free Upgrade Forever!​
  2. CVE-Disclosures/ZentaoPMS/CVE-2023-46475/CVE-2023-46475 - Cross-Site Scripting (Stored).md at main · elementalSec/CVE-Disclosures

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization and output encoding in the project 'Name' field allows stored JavaScript injection."

Attack vector

An authenticated attacker clicks the '+' button in the upper right-hand corner, selects 'Project' from the drop-down menu, and chooses a management type [ref_id=1]. On the 'Create Project' page, the attacker injects malicious JavaScript into the 'Name' field and saves the project [ref_id=1]. The payload is stored on the server and executes in the browser of any user who views the project, resulting in stored cross-site scripting [CWE-79] [ref_id=1].

Affected code

The vulnerability exists in the 'Project' creation endpoint of ZenTaoPMS 18.3. The 'Name' field on the 'Create Project' page does not sanitize or escape user-supplied input before storing it [ref_id=1]. All project management types (Scrum, Waterfall, Kanban, Agile+, Waterfall+) are affected [ref_id=1].

What the fix does

The advisory does not include a patch or specific remediation guidance from the vendor [ref_id=1]. To close the vulnerability, the application should sanitize or encode user input in the project 'Name' field before storing it, and escape the output when rendering the name in the browser to prevent JavaScript execution [CWE-79].

Preconditions

  • authAttacker must have a valid authenticated session on the ZenTaoPMS application
  • authAttacker must have permission to create a new project
  • configThe application must be running ZenTaoPMS version 18.3

Reproduction

1. Log in to ZenTaoPMS 18.3 as an authenticated user. 2. Click the '+' button in the upper right-hand corner and select 'Project' from the drop-down menu. 3. Choose any management type (Scrum, Waterfall, Kanban, Agile+, Waterfall+). 4. On the 'Create Project' page, enter malicious JavaScript (e.g., `

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.