PT-2023-29306 · Unknown · Zentao Max+2
Published
2023-10-10
·
Updated
2023-10-11
·
CVE-2023-44827
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ZenTao Community Edition versions 18.6 and earlier
ZenTao Biz versions 8.6 and earlier
ZenTao Max versions 4.7 and earlier
Description
The issue allows an attacker to execute arbitrary code via a crafted script to the Office Conversion Settings function.
Recommendations
For ZenTao Community Edition versions 18.6 and earlier, update to a version later than 18.6.
For ZenTao Biz versions 8.6 and earlier, update to a version later than 8.6.
For ZenTao Max versions 4.7 and earlier, update to a version later than 4.7.
As a temporary workaround, consider restricting access to the Office Conversion Settings function until a patch is available.
Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zentao Biz
Zentao Community Edition
Zentao Max