CVE-2018-13338
CRITICAL IN THE WILDTerraMaster TOS 3.1.03 - OS Command Injection via Username Parameter
Title source: llmExploitation Summary
CVE-2018-13338 has been observed exploited in the wild (reported by InTheWild.io).
Description
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.securityevaluators.com/vulnerabilities-in-terramaster-tos-3-1-03-fb99cf88b86a
Scores
CVSS v3
9.8
EPSS
0.1023
EPSS Percentile
95.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
InTheWild.io
2021-04-18
CWE
CWE-78
Status
published
Products (1)
terra-master/terramaster_operating_system
3.1.03
Published
Nov 27, 2018
Tracked Since
Feb 18, 2026