Published: 30/01/2021 Updated: 21/07/2021

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 891

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

TerraMaster TOS prior to 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

Vulnerable Product	Search on Vulmon	Subscribe to Product
terra-master tos

Repository for CVE-2020-15568 Metasploit module

TerraMaster TOS CVE-2020-15568 Repository for CVE-2020-15568 Metasploit module Vulnerable Application Description A dynamic class method invocation vulnerability exists in file include/exportUserphp which leads to executing remote commands on TerraMaster devices with root privileges The vulnerable file requires several HTTP GET parameters to be provided in order to reach meth

A quick and easy POC for CVE-2020-15568

CVE-2020-15568 A quick and easy POC for CVE-2020-15568 Not tested but going off of information found here: ssd-disclosurecom/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/

CWE-913 https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/https://help.terra-master.com/TOS/view/https://nvd.nist.gov https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-15568

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect