Discoverer:pipichen

ZentaoPMS Introduce

ZentaoPMS (Zen Project Management System) is an open source project management and collaboration tool designed to help teams better plan, track, and complete projects. It is a professional project management platform suitable for organizations of all sizes, including small and medium-sized enterprises and large enterprises. Some important features and functions of ZentaoPMS:

  1. Project Management: ZentaoPMS provides comprehensive project management functions, including project planning, task allocation, progress tracking, problem management, and document management.
  2. Agile development support: ZentaoPMS supports agile development methods such as Scrum and Kanban. It allows teams to create agile kanban, estimate tasks, develop iteration plans, and track story points for agile practices.
  3. Defect Tracking: ZentaoPMS has powerful defect tracking functionality, allowing users to report and manage software defects. The team can track the status, priority, and resolution progress of defects.
  4. Document Management: This system allows users to upload and manage project related documents, files, and attachments. This helps ensure that the team can easily access and share project documents.
  5. Reporting and Statistics: ZentaoPMS provides various project reports and statistical data to help management and teams understand project progress and performance indicators. Users can generate various charts and reports for analysis.
  6. User Rights Management: Administrators can define user roles and permissions to ensure that only authorized personnel can access and modify sensitive project data.
  7. Integration and scalability: ZentaoPMS has good integration and can be integrated with other tools and services (such as Git, SVN, Jira, etc.). In addition, it also supports plugins and extensions, allowing users to customize features and add additional features.
  8. Multilingual support: ZentaoPMS provides multilingual support, making it easy for global teams to collaborate.

Vulnerability Description

Zentaopms biz and max versions have a command injection vulnerability, which allows malicious users to execute shell scripts.

Principle and recurrence of vulnerabilities

The reason for the vulnerability is that in the "Background>Office>Office Conversion Settings" function, the filtering of the sofficePath parameter is not strict, which leads to malicious users being able to execute the specified shell script.

Download Latest Zentao Biz and Max Source Code:

https://www.zentao.net/dl/zentao/biz8.7/ZenTaoPMS-biz8.7-zbox_amd64.tar.gz

Vulnerable files:

zentaopms/extension/biz/custom/ext/control/libreoffice.php
zentaopms/extension/max/custom/ext/control/libreoffice.php

Files are encrypted using ioncube: