Filtered by vendor Terra-master
Subscriptions
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2018-13353 | 1 Terra-master | 1 Terramaster Operating System | 2024-08-05 | N/A |
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. | ||||
CVE-2018-13355 | 1 Terra-master | 1 Terramaster Operating System | 2024-08-05 | N/A |
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization. | ||||
CVE-2018-13349 | 1 Terra-master | 1 Terramaster Operating System | 2024-08-05 | N/A |
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username. | ||||
CVE-2018-13333 | 1 Terra-master | 1 Terramaster Operating System | 2024-08-05 | N/A |
Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames. | ||||
CVE-2018-13332 | 1 Terra-master | 1 Terramaster Operating System | 2024-08-05 | N/A |
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter. | ||||
CVE-2019-18383 | 1 Terra-master | 2 Fs-210, Fs-210 Firmware | 2024-08-05 | 7.5 High |
An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramaster_TNAS-00E43A_config_backup.bin without permission. | ||||
CVE-2019-18385 | 1 Terra-master | 2 Fs-210, Fs-210 Firmware | 2024-08-05 | 7.5 High |
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring. | ||||
CVE-2019-18384 | 1 Terra-master | 2 Fs-210, Fs-210 Firmware | 2024-08-05 | 6.5 Medium |
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring. | ||||
CVE-2019-18195 | 1 Terra-master | 2 F2-210, F2-210 Firmware | 2024-08-05 | 8.8 High |
An issue was discovered on TerraMaster FS-210 4.0.19 devices. Normal users can use 1.user.php for privilege elevation. | ||||
CVE-2020-35665 | 1 Terra-master | 1 Terramaster Operating System | 2024-08-04 | 9.8 Critical |
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. | ||||
CVE-2020-29189 | 1 Terra-master | 1 Tos | 2024-08-04 | 8.1 High |
Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS | ||||
CVE-2020-28187 | 1 Terra-master | 1 Tos | 2024-08-04 | 9.8 Critical |
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php. | ||||
CVE-2020-28188 | 1 Terra-master | 1 Tos | 2024-08-04 | 9.8 Critical |
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter. | ||||
CVE-2020-28186 | 1 Terra-master | 1 Tos | 2024-08-04 | 7.3 High |
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. | ||||
CVE-2020-28185 | 1 Terra-master | 1 Tos | 2024-08-04 | 5.3 Medium |
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. | ||||
CVE-2020-28190 | 1 Terra-master | 1 Tos | 2024-08-04 | 5.9 Medium |
TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates. | ||||
CVE-2020-28184 | 1 Terra-master | 1 Tos | 2024-08-04 | 5.4 Medium |
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. | ||||
CVE-2020-15568 | 1 Terra-master | 1 Tos | 2024-08-04 | 9.8 Critical |
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. | ||||
CVE-2021-45839 | 1 Terra-master | 3 F2-210, F4-210, Tos | 2024-08-04 | 6.5 Medium |
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint. | ||||
CVE-2021-45837 | 1 Terra-master | 3 F2-210, F4-210, Tos | 2024-08-04 | 9.8 Critical |
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del. |