VYPR

Tos

by Terra Master

CVEs (12)

  • CVE-2024-34539CriJun 14, 2024
    Terra Master
    Tos
    risk 0.61cvss 9.4epss 0.01

    Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions.

  • CVE-2021-45837Apr 25, 2022
    Terra Master
    Tos
    risk 0.09cvss epss 0.81

    It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.

  • CVE-2021-45841Apr 25, 2022
    Terra Master
    Tos
    risk 0.08cvss epss 0.66

    In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.

  • CVE-2021-45839Apr 25, 2022
    Terra Master
    Tos
    risk 0.07cvss epss 0.54

    It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint.

  • CVE-2018-13336Nov 27, 2018
    Terra Master
    Tos
    risk 0.01cvss epss 0.12

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.

  • CVE-2021-45836Apr 25, 2022
    Terra Master
    Tos
    risk 0.00cvss epss 0.01

    An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.

  • CVE-2021-45840Apr 25, 2022
    Terra Master
    Tos
    risk 0.00cvss epss 0.02

    It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending specifically crafted input to /tos/index.php?app/app_start_stop.

  • CVE-2021-45842Apr 25, 2022
    Terra Master
    Tos
    risk 0.00cvss epss 0.01

    It is possible to obtain the first administrator's hash set up in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) on the system as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/wapNasIPS endpoint.

  • CVE-2018-13329Nov 27, 2018
    Terra Master
    Tos
    risk 0.00cvss epss 0.00

    Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.

  • CVE-2018-13331Nov 27, 2018
    Terra Master
    Tos
    risk 0.00cvss epss 0.00

    Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.

  • CVE-2018-13333Nov 27, 2018
    Terra Master
    Tos
    risk 0.00cvss epss 0.00

    Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.

  • CVE-2018-13357Nov 27, 2018
    Terra Master
    Tos
    risk 0.00cvss epss 0.00

    Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.