Show filters
2 Total Results
Displaying 1-2 of 2
Sort by:
Attacker Value
Very High

CVE-2022-24990

Disclosure Date: February 07, 2023 (last updated October 08, 2023)
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Attacker Value
Unknown

CVE-2022-24989

Disclosure Date: August 20, 2023 (last updated October 08, 2023)
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.