CVE-2022-24989

Name of the Vulnerable Software and Affected Versions TerraMaster NAS versions prior to 4.2.31

Description The issue is related to the createRaid module in TerraMaster NAS devices, which allows for the injection of arbitrary commands. This can enable a remote attacker to execute arbitrary code. The raidtype and diskstring parameters in the api.php?mobile/createRaid URI are vulnerable to PHP Object Instantiation, allowing an attacker to inject shell metacharacters due to the lack of sanitization when using popen.

Recommendations For versions prior to 4.2.31, update to version 4.2.31 or later to resolve the issue. As a temporary workaround, consider restricting access to the api.php?mobile/createRaid URI until a patch is available. Avoid using the raidtype and diskstring parameters in the affected API endpoint until the issue is resolved.