TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html | |
https://forum.terra-master.com/en/viewforum.php?f=28 | Issue Tracking Release Notes |
https://github.com/0xf4n9x/CVE-2022-24990 | Exploit Third Party Advisory |
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ | Exploit Third Party Advisory |
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
08 Aug 2023, 14:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-306 |
14 Jun 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2023, 14:24
Type | Values Removed | Values Added |
---|---|---|
First Time |
Terra-master u16-322-9100
Terra-master f2-221 Terra-master f4-423 Terra-master u12-722-2224 Terra-master f4-421 Terra-master f2-223 Terra-master t12-423 Terra-master f4-422 Terra-master terramaster Operating System Terra-master u4-211 Terra-master t9-423 Terra-master u12-322-9100 Terra-master t6-423 Terra-master u8-322-9100 Terra-master u16-722-2224 Terra-master f5-422 Terra-master f5-221 Terra-master Terra-master u8-423 Terra-master f2-210 Terra-master u8-722-2224 Terra-master t12-450 Terra-master f2-422 Terra-master u8-522-9400 Terra-master u8-111 Terra-master f2-423 Terra-master u4-423 Terra-master t9-450 Terra-master u24-722-2224 Terra-master u12-423 Terra-master u4-111 |
|
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:h:terra-master:u16-322-9100:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:t12-450:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u8-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f2-223:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u4-211:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f4-422:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:t9-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u4-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f2-422:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f2-221:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u12-722-2224:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u8-522-9400:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u12-322-9100:-:*:*:*:*:*:*:* cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f5-221:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:t6-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f5-422:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u8-322-9100:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f4-421:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u8-722-2224:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:t12-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u4-111:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f4-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u24-722-2224:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:t9-450:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u12-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f2-423:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u16-722-2224:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:u8-111:-:*:*:*:*:*:*:* cpe:2.3:h:terra-master:f2-210:-:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | (MISC) https://github.com/0xf4n9x/CVE-2022-24990 - Exploit, Third Party Advisory | |
References | (MISC) https://forum.terra-master.com/en/viewforum.php?f=28 - Issue Tracking, Release Notes | |
References | (MISC) https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ - Exploit, Third Party Advisory | |
References | (MISC) https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 - Third Party Advisory |
07 Feb 2023, 18:24
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-07 18:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-24990
Mitre link : CVE-2022-24990
CVE.ORG link : CVE-2022-24990
JSON object : View
Products Affected
terra-master
- t6-423
- u4-211
- u8-722-2224
- u16-322-9100
- f2-221
- u16-722-2224
- u24-722-2224
- u8-111
- t9-423
- f5-422
- f4-422
- t9-450
- u8-322-9100
- f2-210
- u8-522-9400
- f4-423
- f2-223
- u4-423
- f4-421
- terramaster_operating_system
- u12-322-9100
- u4-111
- t12-423
- u12-423
- f2-422
- u8-423
- f5-221
- t12-450
- f2-423
- u12-722-2224
CWE
CWE-306
Missing Authentication for Critical Function