Discoverer:hh
Product official website:https://www.zentao.net/
The zentao Enterprise Edition has expanded horizontally based on the project management process on the basis of the open source version, adding functions such as operation and maintenance management, feedback management, and OA office management to meet the online collaboration needs of more roles, forming a closed-loop management system. The Enterprise Edition is more adaptable to the personalized needs of enterprises, adding functions such as custom workflows, custom large screens, custom pivot tables, custom charts, and AI prompt designers, providing more comprehensive support for enterprise project management. In terms of service, the Enterprise Edition can provide one-on-one customer successful services such as user training, technical support, and review guidance to ensure the implementation of the system.
Zentao Enterprise Edition(zentao_biz) ≤ 8.7 is vulnerable to Information Disclosure.Leaked the password of ldap and other information required to log in to the ldap server
Right click on the password of ldap and check the source code. Change type=password to type=text to display the password.
Other ldap login information except password is directly displayed in plaintext,so attackers can directly log in to the ldap server.
The following figure shows the instance information I filled in.
Change type=password to type=text