Skip to content
/ CVE-2022-24990 Public

TerraMaster TOS Unauthenticated Remote Command Execution(RCE) Vulnerability CVE-2022-24990

License

MIT license
3 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

antx-code/CVE-2022-24990

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitignore
.gitignore
 
 
CVE-2022-24990.py
CVE-2022-24990.py
 
 
LICENSE
LICENSE
 
 
README.org
README.org
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CVE-2022-24990

Description

  • POC for CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation.
  • create by antx at 2022-04-12.

Detail

  • The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
  • The vulnerability exists due to improper input validation in the webNasIPS component in the api.php script. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.
  • Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

CVE Severity

  • attackComplexity: LOW
  • attackVector: NETWORK
  • availabilityImpact: HIGH
  • confidentialityImpact: HIGH
  • integrityImpact: HIGH
  • privilegesRequired: NONE
  • scope: UNCHANGED
  • userInteraction: NONE
  • version: 3.1
  • baseScore: 10.0
  • baseSeverity: CRITICAL

Affect

  • TerraMaster TOS
    • < 4.2.30
    • All of 4.1.x

POC

Patch

Reference

About

TerraMaster TOS Unauthenticated Remote Command Execution(RCE) Vulnerability CVE-2022-24990

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages