Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Terramaster_operating_system
(Terra\-Master)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 28 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-02-07 | CVE-2022-24990 | TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. | Terramaster_operating_system | 7.5 | ||
| 2023-08-20 | CVE-2022-24989 | TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used. | Terramaster_operating_system | 9.8 | ||
| 2020-12-23 | CVE-2020-35665 | An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. | Terramaster_operating_system | 9.8 | ||
| 2018-11-27 | CVE-2018-13359 | Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter. | Terramaster_operating_system | 8.8 | ||
| 2018-11-27 | CVE-2018-13418 | System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter. | Terramaster_operating_system | 8.8 | ||
| 2018-11-27 | CVE-2018-13361 | User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter. | Terramaster_operating_system | 5.3 | ||
| 2018-11-27 | CVE-2018-13360 | Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter. | Terramaster_operating_system | 6.1 | ||
| 2018-11-27 | CVE-2018-13358 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter. | Terramaster_operating_system | 8.8 | ||
| 2018-11-27 | CVE-2018-13357 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names. | Terramaster_operating_system | 5.4 | ||
| 2018-11-27 | CVE-2018-13356 | Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions. | Terramaster_operating_system | 8.8 |