Skip to main content

CVE-2022-24990

Description

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

NVD
Severity: HIGH
CVE ID: CVE-2022-24990
CVSS Score: 7.5
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Refrence: NVDMITRE

Proof Of Concept

Nuclei Templates for CVE-2022-24990
Jaky5155

CVE-2022-24990:TerraMaster TOS 通过 PHP 对象实例化执行未经身份验证的远程命令

Refrence: GitHub

VVeakee

仅仅是poc,并不是exp

Refrence: GitHub

0xf4n9x

CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation

Refrence: GitHub

lishang520

CVE-2022-24990信息泄露+RCE 一条龙

Refrence: GitHub

antx-code

TerraMaster TOS Unauthenticated Remote Command Execution(RCE) Vulnerability CVE-2022-24990

Refrence: GitHub

jsongmax

Refrence: GitHub

Last updated on by Vulnerability_bot_v1.3.9