CVE-2022-4984: ZenTao Biz < 6.5, Max < 3.0, & Open Source Edition 16.5/16.5beta1 SQL Injection via user-login.html
ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.
Security readout for executives and security teams
Plain-English summary
CVE-2022-4984 lets an unauthenticated remote attacker abuse ZenTao's login page to query backend data. The main business risk is exposure of user and application data from project-management systems, especially if ZenTao is internet-facing or holds sensitive delivery, customer, or engineering information.
Executive priority
Treat this as a high-priority data exposure risk for any reachable ZenTao deployment. Patch or restrict access promptly, then review logs because exploitation evidence is reported in the supplied sources.
Technical view
This is CWE-89 SQL injection in the account parameter used by /zentao/user-login.html. Affected products are ZenTao Biz before 6.5, ZenTao Max before 3.0, and ZenTao Open Source Edition before 16.5 or 16.5.beta1, per the supplied record.
Likely exposure
Highest exposure is externally reachable ZenTao login endpoints running affected Biz, Max, or Open Source Edition versions. Internal-only deployments still matter where ZenTao contains sensitive project, user, or operational data.
Exploitation context
The bundle says Shadowserver observed exploitation evidence on 2025-02-07 UTC. It is not listed as CISA KEV in the supplied data. No exploit mechanics or broader campaign details are provided.
Researcher notes
The affected-version data in the bundle includes placeholder version entries, so rely on the textual affected ranges and linked vendor releases. Evidence supports SQL injection impact and reported exploitation, but not detailed attack chains.
Mitigation direction
Upgrade affected ZenTao Biz deployments to 6.5 or later.
Upgrade affected ZenTao Max deployments to 3.0 or later.
Upgrade affected ZenTao Open Source Edition to 16.5, 16.5.1, or later.
Restrict external access to ZenTao until fixed versions are confirmed.
Review vendor guidance if your edition or version mapping is unclear.
Validation and detection
Inventory all ZenTao deployments, editions, and versions.
Confirm whether /zentao/user-login.html is reachable from untrusted networks.
Review web logs for unusual unauthenticated login requests since 2025-02-07.
Check database and application logs for abnormal login-time query behavior.
Verify patched versions are deployed in production, not only staging.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-89 · source CWE mapping
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.