Tos
by Terra Master
CVEs (39)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-13332 | Hig | 0.49 | 7.5 | 0.02 | Nov 27, 2018 | Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter. | ||
| CVE-2020-28186 | Hig | 0.48 | 7.3 | 0.04 | Dec 24, 2020 | Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | ||
| CVE-2018-13330 | Hig | 0.47 | 7.2 | 0.08 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter. | ||
| CVE-2021-45839 | Med | 0.46 | 6.5 | 0.09 | Apr 25, 2022 | It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS… | ||
| CVE-2018-13355 | Med | 0.42 | 6.5 | 0.01 | Nov 27, 2018 | Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization. | ||
| CVE-2018-13360 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2018 | Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter. | ||
| CVE-2018-13349 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2018 | Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username. | ||
| CVE-2018-13333 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2018 | Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames. | ||
| CVE-2018-13331 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2018 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames. | ||
| CVE-2018-13334 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2018 | Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter. | ||
| CVE-2018-13329 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2018 | Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter. | ||
| CVE-2020-28190 | Med | 0.38 | 5.9 | 0.01 | Dec 24, 2020 | TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates. | ||
| CVE-2020-28185 | Med | 0.36 | 5.3 | 0.18 | Dec 24, 2020 | User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. | ||
| CVE-2018-13361 | Med | 0.36 | 5.3 | 0.17 | Nov 27, 2018 | User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter. | ||
| CVE-2020-28184 | Med | 0.35 | 5.4 | 0.01 | Dec 24, 2020 | Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. | ||
| CVE-2018-13357 | Med | 0.35 | 5.4 | 0.01 | Nov 27, 2018 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names. | ||
| CVE-2018-13335 | Med | 0.35 | 5.4 | 0.01 | Nov 27, 2018 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions. | ||
| CVE-2018-13337 | Med | 0.35 | 5.4 | 0.01 | Nov 27, 2018 | Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. | ||
| CVE-2018-13351 | Med | 0.31 | 4.8 | 0.01 | Nov 27, 2018 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form. |
- risk 0.49cvss 7.5epss 0.02
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.
- risk 0.48cvss 7.3epss 0.04
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
- risk 0.47cvss 7.2epss 0.08
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
- risk 0.46cvss 6.5epss 0.09
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS…
- risk 0.42cvss 6.5epss 0.01
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.
- risk 0.38cvss 5.9epss 0.01
TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates.
- risk 0.36cvss 5.3epss 0.18
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
- risk 0.36cvss 5.3epss 0.17
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.
- risk 0.35cvss 5.4epss 0.01
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
- risk 0.31cvss 4.8epss 0.01
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.
Page 2 of 2