VYPR
Vendor

Terra Master

Products
4
CVEs
47
Across products
48
Status
Private

Products

4

Recent CVEs

47
View all 47 CVEs →
  • CVE-2017-9328CriSep 15, 2017
    risk 0.64cvss 9.8epss 0.07

    Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root.

  • CVE-2024-34539CriJun 14, 2024
    risk 0.61cvss 9.4epss 0.01

    Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions.

  • CVE-2020-28188Dec 24, 2020
    risk 0.10cvss epss 0.97

    Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.

  • CVE-2020-35665Dec 23, 2020
    risk 0.10cvss epss 0.78

    An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.

  • CVE-2021-45837Apr 25, 2022
    risk 0.09cvss epss 0.16

    It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.

  • CVE-2021-45841Apr 25, 2022
    risk 0.08cvss epss 0.08

    In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker…

  • CVE-2021-45839Apr 25, 2022
    risk 0.07cvss epss 0.09

    It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS…

  • CVE-2020-15568Jan 30, 2021
    risk 0.07cvss epss 0.28

    TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the…

  • CVE-2020-28185Dec 24, 2020
    risk 0.07cvss epss 0.18

    User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.

  • CVE-2020-28187Dec 24, 2020
    risk 0.05cvss epss 0.16

    Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php,…

  • CVE-2020-28186Dec 24, 2020
    risk 0.02cvss epss 0.04

    Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.

  • CVE-2018-13358Nov 27, 2018
    risk 0.01cvss epss 0.25

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.

  • CVE-2018-13354Nov 27, 2018
    risk 0.01cvss epss 0.23

    System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.

  • CVE-2018-13330Nov 27, 2018
    risk 0.01cvss epss 0.08

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.

  • CVE-2018-13336Nov 27, 2018
    risk 0.01cvss epss 0.09

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.

  • CVE-2018-13418Nov 27, 2018
    risk 0.01cvss epss 0.05

    System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.

  • CVE-2018-13338Nov 27, 2018
    risk 0.01cvss epss 0.10

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.

  • CVE-2018-13353Nov 27, 2018
    risk 0.01cvss epss 0.06

    System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.

  • CVE-2023-48185Nov 17, 2023
    risk 0.00cvss epss 0.01

    Directory Traversal vulnerability in TerraMaster v.s1.0 through v.2.295 allows a remote attacker to obtain sensitive information via a crafted GET request.

  • CVE-2021-45836Apr 25, 2022
    risk 0.00cvss epss 0.02

    An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.