VYPR

Tos

by Terra Master

CVEs (39)

  • CVE-2018-13332HigNov 27, 2018
    risk 0.49cvss 7.5epss 0.02

    Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.

  • CVE-2020-28186HigDec 24, 2020
    risk 0.48cvss 7.3epss 0.04

    Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.

  • CVE-2018-13330HigNov 27, 2018
    risk 0.47cvss 7.2epss 0.08

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.

  • CVE-2021-45839MedApr 25, 2022
    risk 0.46cvss 6.5epss 0.09

    It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS…

  • CVE-2018-13355MedNov 27, 2018
    risk 0.42cvss 6.5epss 0.01

    Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.

  • CVE-2018-13360MedNov 27, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.

  • CVE-2018-13349MedNov 27, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.

  • CVE-2018-13333MedNov 27, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.

  • CVE-2018-13331MedNov 27, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.

  • CVE-2018-13334MedNov 27, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.

  • CVE-2018-13329MedNov 27, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.

  • CVE-2020-28190MedDec 24, 2020
    risk 0.38cvss 5.9epss 0.01

    TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates.

  • CVE-2020-28185MedDec 24, 2020
    risk 0.36cvss 5.3epss 0.18

    User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.

  • CVE-2018-13361MedNov 27, 2018
    risk 0.36cvss 5.3epss 0.17

    User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.

  • CVE-2020-28184MedDec 24, 2020
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.

  • CVE-2018-13357MedNov 27, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.

  • CVE-2018-13335MedNov 27, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.

  • CVE-2018-13337MedNov 27, 2018
    risk 0.35cvss 5.4epss 0.01

    Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.

  • CVE-2018-13351MedNov 27, 2018
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.

Page 2 of 2