In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.
Published 2022-04-25 11:15:07
Updated 2023-06-12 07:16:12
Source MITRE
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-45841

0.26%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-45841

  • TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
    Disclosure Date: 2021-12-24
    First seen: 2023-09-11
    exploit/linux/http/terramaster_unauth_rce_cve_2021_45837
    Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected. CVE-2021-45839 is exploited to obtain the first administrator's has

CVSS scores for CVE-2021-45841

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.8
MEDIUM AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
NIST
8.1
HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2.2
5.9
NIST

References for CVE-2021-45841

Products affected by CVE-2021-45841

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!