CVE-2018-13338

CRITICAL IN THE WILD

TerraMaster TOS 3.1.03 - OS Command Injection via Username Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-13338 has been observed exploited in the wild (reported by InTheWild.io).

Description

System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.1023
EPSS Percentile 95.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2021-04-18
CWE
CWE-78
Status published
Products (1)
terra-master/terramaster_operating_system 3.1.03
Published Nov 27, 2018
Tracked Since Feb 18, 2026