Hillstone Networks

RULE（RULE ID：333520）

Rule General Information


Release Date:		2021-05-08

Rule Name:		ZenTaoPMS 11.6 SQL Injection Vulnerability

Severity:

CVE ID:

Rule Protection Details


Description:		ZenTaoPMS is a set of project management software developed by Nature Easy Soft Network Technology Company in order to solve the chaos and disorder in the management process of many enterprises.ZenTaoPMS 11.6 version has SQL injection vulnerability. The vulnerability is due to the imperfect filtering of user interface call permission in ZenTaoPMS 11.6 version, which leads to the existence of SQL injection vulnerability in the call interface. A remote attacker can execute arbitrary SQL statements through the api-getModel-api-sql-sql interface.

Impact:		An attacker can inject arbitrary sql commands to view or change the database of the target by exploiting the vulnerability successfully.

Affected OS:		Windows, Linux, Others

Reference:

Solutions

Please contact the software vendor to update the software patch.