CVE-2018-13355 in TerraMaster TOS
Summary
by MITRE
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/15/2020
This cross-site scripting vulnerability exists within the Control Panel interface of TerraMaster TOS version 3.1.03 operating system, specifically affecting the shared folder description functionality. The flaw represents a classic reflected cross-site scripting vulnerability that occurs when user-supplied input containing malicious javascript code is not properly sanitized before being rendered in the web interface. Attackers can exploit this weakness by crafting specially formatted descriptions for shared folders that contain embedded javascript payloads, which then execute in the context of other users who view these descriptions within the control panel environment. This vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation, specifically addressing the failure to sanitize user-controllable data that gets reflected back to users.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to hijack user sessions, steal sensitive information, and potentially escalate privileges within the TerraMaster system. When users navigate to shared folders containing malicious descriptions, their browsers execute the injected javascript code, which can perform actions such as stealing authentication cookies, redirecting users to malicious sites, or modifying the web interface to deceive users. The attack vector is particularly insidious because it leverages legitimate system functionality for sharing files and folders, making it difficult for users to distinguish between benign and malicious content. This vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1566.001 for spearphishing with attachments, as attackers can use this weakness to deliver malicious payloads through seemingly legitimate shared folder descriptions.
The technical exploitation requires minimal prerequisites, as attackers only need access to create or modify shared folder descriptions within the TerraMaster system. This makes the vulnerability particularly dangerous in multi-user environments where shared folders are commonly used for collaboration and file sharing. The vulnerability affects the web-based control panel interface, meaning that any user with sufficient privileges to modify folder descriptions can potentially exploit this weakness. The lack of proper input validation and output encoding in the description handling code creates a persistent security gap that allows arbitrary javascript execution. Organizations using TerraMaster TOS version 3.1.03 should immediately implement mitigations including input sanitization, output encoding, and regular security updates to address this vulnerability. The recommended remediation approach involves implementing strict validation of all user-supplied data before storage and proper HTML encoding when rendering content to prevent javascript execution in web contexts.