Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2020-35665

Published: 23/12/2020 Updated: 12/06/2023
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

An unauthenticated command-execution vulnerability exists in TerraMaster TOS up to and including 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

terra-master terramaster operating system

Exploits

Exploit DB: TerraMaster TOS 4.2.06 Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4206 and below via shell metacharacters in the Event parameter at vulnerable endpoint include/makecvsphp during CSV creation Any unauthenticated user can therefore execute commands on the system under the same privileges as the web ...
Exploit DB: TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
This module exploits an unauthenticated remote code-execution vulnerability in TerraMaster TOS 4206 and lower via shell metacharacters in the Event parameter at vulnerable endpoint `include/makecvsphp` during CSV creation Any unauthenticated user can therefore execute commands on the system under the same privilege ...

Metasploit Modules

TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution

This module exploits an unauthenticated remote code-execution vulnerability in TerraMaster TOS 4.2.06 and lower via shell metacharacters in the Event parameter at vulnerable endpoint `include/makecvs.php` during CSV creation. Any unauthenticated user can therefore execute commands on the system under the same privileges as the web application, which typically runs under root at the TerraMaster Operating System.

msf > use exploit/linux/http/terramaster_unauth_rce_cve_2020_35665
msf exploit(terramaster_unauth_rce_cve_2020_35665) > show targets
    ...targets...
msf exploit(terramaster_unauth_rce_cve_2020_35665) > set TARGET < target-id >
msf exploit(terramaster_unauth_rce_cve_2020_35665) > show options
    ...show and set options...
msf exploit(terramaster_unauth_rce_cve_2020_35665) > exploit

References

CWE-78https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/49330http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.htmlhttps://nvd.nist.govhttps://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.htmlhttps://www.rapid7.com/db/modules/exploit/linux/http/terramaster_unauth_rce_cve_2020_35665/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
denial of serviceCVE-2024-27371CVE-2024-20405CVE-2024-31627CVE-2024-31625race conditionCVE-2024-4358cross-site scriptingCVE-2023-20938
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook