Terramaster Operating System

terramaster_operating_system

Vendor: Terra Master • 28 CVEs

CVEs (28)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-24989 1Terra Master 1Terramaster Operating System Nov 21, 2024 Aug 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharac...Show more TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.Show less
CVE-2022-24990 1Terra Master 1Terramaster Operating System Nov 7, 2025 Feb 7, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVE-2020-35665 1Terra Master 1Terramaster Operating System Nov 21, 2024 Dec 23, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
CVE-2018-13418 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
CVE-2018-13361 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
CVE-2018-13360 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
CVE-2018-13359 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
CVE-2018-13358 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
CVE-2018-13357 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.
CVE-2018-13356 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
CVE-2018-13355 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
CVE-2018-13354 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
CVE-2018-13353 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
CVE-2018-13352 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.
CVE-2018-13351 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.
CVE-2018-13350 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
CVE-2018-13349 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.
CVE-2018-13338 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
CVE-2018-13336 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
CVE-2018-13335 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions.

12 Next