CVE-2021-27556

The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System.

Summary:

The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System.

Reference Links(if available):

  • https://privasec.com/blog/zentao-cms-a-monkeys-journey-to-priv-esc-remote-code-execution/
  • CVSS Score (if available)

    v2: / MEDIUMAV:N/AC:L/Au:S/C:C/I:C/A:C

    v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Links to Exploits(if available)