Terra Master
Products
4- 40 CVEs
- 6 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
47| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-9328 | Cri | 0.64 | 9.8 | 0.07 | Sep 15, 2017 | Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root. | ||
| CVE-2024-34539 | Cri | 0.61 | 9.4 | 0.01 | Jun 14, 2024 | Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions. | ||
| CVE-2020-28188 | 0.10 | — | 0.97 | Dec 24, 2020 | Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter. | |||
| CVE-2020-35665 | 0.10 | — | 0.78 | Dec 23, 2020 | An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. | |||
| CVE-2021-45837 | 0.09 | — | 0.16 | Apr 25, 2022 | It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del. | |||
| CVE-2021-45841 | 0.08 | — | 0.08 | Apr 25, 2022 | In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker… | |||
| CVE-2021-45839 | 0.07 | — | 0.09 | Apr 25, 2022 | It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS… | |||
| CVE-2020-15568 | 0.07 | — | 0.28 | Jan 30, 2021 | TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the… | |||
| CVE-2020-28185 | 0.07 | — | 0.18 | Dec 24, 2020 | User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. | |||
| CVE-2020-28187 | 0.05 | — | 0.16 | Dec 24, 2020 | Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php,… | |||
| CVE-2020-28186 | 0.02 | — | 0.04 | Dec 24, 2020 | Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | |||
| CVE-2018-13358 | 0.01 | — | 0.25 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter. | |||
| CVE-2018-13354 | 0.01 | — | 0.23 | Nov 27, 2018 | System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter. | |||
| CVE-2018-13330 | 0.01 | — | 0.08 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter. | |||
| CVE-2018-13336 | 0.01 | — | 0.09 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation. | |||
| CVE-2018-13418 | 0.01 | — | 0.05 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter. | |||
| CVE-2018-13338 | 0.01 | — | 0.10 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation. | |||
| CVE-2018-13353 | 0.01 | — | 0.06 | Nov 27, 2018 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. | |||
| CVE-2023-48185 | 0.00 | — | 0.01 | Nov 17, 2023 | Directory Traversal vulnerability in TerraMaster v.s1.0 through v.2.295 allows a remote attacker to obtain sensitive information via a crafted GET request. | |||
| CVE-2021-45836 | 0.00 | — | 0.02 | Apr 25, 2022 | An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app. |
- risk 0.64cvss 9.8epss 0.07
Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root.
- risk 0.61cvss 9.4epss 0.01
Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions.
- CVE-2020-28188Dec 24, 2020risk 0.10cvss —epss 0.97
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
- CVE-2020-35665Dec 23, 2020risk 0.10cvss —epss 0.78
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
- CVE-2021-45837Apr 25, 2022risk 0.09cvss —epss 0.16
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
- CVE-2021-45841Apr 25, 2022risk 0.08cvss —epss 0.08
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker…
- CVE-2021-45839Apr 25, 2022risk 0.07cvss —epss 0.09
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS…
- CVE-2020-15568Jan 30, 2021risk 0.07cvss —epss 0.28
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the…
- CVE-2020-28185Dec 24, 2020risk 0.07cvss —epss 0.18
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
- CVE-2020-28187Dec 24, 2020risk 0.05cvss —epss 0.16
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php,…
- CVE-2020-28186Dec 24, 2020risk 0.02cvss —epss 0.04
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
- CVE-2018-13358Nov 27, 2018risk 0.01cvss —epss 0.25
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
- CVE-2018-13354Nov 27, 2018risk 0.01cvss —epss 0.23
System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
- CVE-2018-13330Nov 27, 2018risk 0.01cvss —epss 0.08
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
- CVE-2018-13336Nov 27, 2018risk 0.01cvss —epss 0.09
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
- CVE-2018-13418Nov 27, 2018risk 0.01cvss —epss 0.05
System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
- CVE-2018-13338Nov 27, 2018risk 0.01cvss —epss 0.10
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
- CVE-2018-13353Nov 27, 2018risk 0.01cvss —epss 0.06
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
- CVE-2023-48185Nov 17, 2023risk 0.00cvss —epss 0.01
Directory Traversal vulnerability in TerraMaster v.s1.0 through v.2.295 allows a remote attacker to obtain sensitive information via a crafted GET request.
- CVE-2021-45836Apr 25, 2022risk 0.00cvss —epss 0.02
An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.