Skip to main content

Improper Control of Dynamically-Managed Code Resources

CVE-2020-15568

Severity High
Score 9.8/10

Summary

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-913 - Improper Control of Dynamically-Managed Code Resources

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

Advisory Timeline

  • Published