CVE-2022-24990

Name of the Vulnerable Software and Affected Versions TerraMaster OS versions 4.2.29 and earlier

Description The issue is related to the webNasIPS module in TerraMaster OS, which allows for the injection of arbitrary commands. This can enable a remote attacker to gain access to protected information. Specifically, the vulnerability can be exploited by sending a "User-Agent: TNAS" request to the module/api.php?mobile/webNasIPS endpoint and then reading the PWD field in the response, allowing the discovery of the administrative password.

Recommendations For versions 4.2.29 and earlier, update to a version later than 4.2.29 to resolve the issue. As a temporary workaround, consider restricting access to the module/api.php?mobile/webNasIPS endpoint until a patch is available. Avoid using the PWD field in the response from the module/api.php?mobile/webNasIPS endpoint until the issue is resolved.