6.5

CVE-2025-13789

Exploit

ZenTao model.php makeRequest server-side request forgery

A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZentaoZentao Version < 21.7.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.163
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cna@vuldb.com 2.1 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://vuldb.com/?id.333793
Third Party Advisory
VDB Entry
https://vuldb.com/?ctiid.333793
VDB Entry
Permissions Required
https://vuldb.com/?submit.690728
Third Party Advisory
VDB Entry
https://github.com/ez-lbz/ez-lbz.github.io/issues/2
Vendor Advisory
Exploit
Issue Tracking
https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issuecomment-3540247346
Exploit
Issue Tracking
https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issue-3598317459
Vendor Advisory
Exploit
Issue Tracking
https://www.zentao.net/extension-viewext-6.html
Product