PT-2022-12426 · Terramaster · Terramaster F4-210+2
N0Tme
·
Published
2022-04-25
·
Updated
2022-05-05
·
CVE-2021-45836
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Terramaster F4-210, F2-210 TOS version 4.2.15-2107141517
Description
An authenticated attacker can execute arbitrary commands as root by injecting a maliciously crafted input in the request through the "/tos/index.php?app/hand app" API endpoint.
Recommendations
For Terramaster F4-210, F2-210 TOS version 4.2.15-2107141517, consider restricting access to the "/tos/index.php?app/hand app" API endpoint until a patch is available. As a temporary workaround, avoid using this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Tos
Terramaster F2-210
Terramaster F4-210