2 matches found
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint...
CVE-2022-24990
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. Recent assessments: cbeek-r7 at July 26, 2024 7:31pm UTC reported: A July 2024 bullet...