Terra-Master Terramaster Operating System vulnerabilities
28 known vulnerabilities affecting terra-master/terramaster_operating_system.
Total CVEs
28
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
6
Severity breakdown
CRITICAL7HIGH9MEDIUM12
Vulnerabilities
Page 1 of 2
CVE-2022-24990P1HIGHCVSS 7.5KEVPoCRansomwarefixed in 4.2.312023-02-07
CVE-2022-24990 [HIGH] CWE-306 CVE-2022-24990: TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password b
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
nvd
CVE-2020-35665P1CRITICALCVSS 9.8ExploitedPoC≤ 4.2.062020-12-23
CVE-2020-35665 [CRITICAL] CWE-78 CVE-2020-35665: An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shel
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
nvd
CVE-2022-24989P1CRITICALCVSS 9.8ExploitedPoCRansomwarefixed in 4.2.312023-08-20
CVE-2022-24989 [CRITICAL] CWE-74 CVE-2022-24989: TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation c
nvd
CVE-2018-13350P2CRITICALCVSS 9.8Exploitedv3.1.032018-11-27
CVE-2018-13350 [CRITICAL] CWE-89 CVE-2018-13350: SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL quer
SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
nvd
CVE-2018-13354P2CRITICALCVSS 9.8Exploitedv3.1.032018-11-27
CVE-2018-13354 [CRITICAL] CWE-78 CVE-2018-13354: System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execu
System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
nvd
CVE-2018-13338P2CRITICALCVSS 9.8Exploitedv3.1.032018-11-27
CVE-2018-13338 [CRITICAL] CWE-78 CVE-2018-13338: System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execu
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
nvd
CVE-2018-13358P2HIGHCVSS 8.8v3.1.032018-11-27
CVE-2018-13358 [HIGH] CWE-78 CVE-2018-13358: System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execu
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
nvd
CVE-2017-9328P2CRITICALCVSS 9.8≤ 3.0.332017-09-15
CVE-2017-9328 [CRITICAL] CWE-78 CVE-2017-9328: Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS
Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root.
nvd
CVE-2018-13336P2CRITICALCVSS 9.8v3.1.032018-11-27
CVE-2018-13336 [CRITICAL] CWE-78 CVE-2018-13336: System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execu
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
nvd
CVE-2018-13353P2HIGHCVSS 8.8v3.1.032018-11-27
CVE-2018-13353 [HIGH] CWE-78 CVE-2018-13353: System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execu
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
nvd
CVE-2018-13418P2HIGHCVSS 8.8v3.1.032018-11-27
CVE-2018-13418 [HIGH] CWE-78 CVE-2018-13418: System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute syste
System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
nvd
CVE-2018-13330P3HIGHCVSS 7.2v3.1.032018-11-27
CVE-2018-13330 [HIGH] CWE-78 CVE-2018-13330: System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execu
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
nvd
CVE-2018-13359P3HIGHCVSS 8.8v3.1.032018-11-27
CVE-2018-13359 [HIGH] CWE-79 CVE-2018-13359: Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute
Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
nvd
CVE-2018-13356P3HIGHCVSS 8.8v3.1.032018-11-27
CVE-2018-13356 [HIGH] CWE-863 CVE-2018-13356: Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to eleva
Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
nvd
CVE-2018-13332P3HIGHCVSS 7.5v3.1.032018-11-27
CVE-2018-13332 [HIGH] CWE-22 CVE-2018-13332: Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers t
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.
nvd
CVE-2018-13352P3HIGHCVSS 7.5v3.1.032018-11-27
CVE-2018-13352 [HIGH] CWE-200 CVE-2018-13352: Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view
Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.
nvd
CVE-2018-13361P3MEDIUMCVSS 5.3v3.1.032018-11-27
CVE-2018-13361 [MEDIUM] CWE-20 CVE-2018-13361: User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all sys
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
nvd
CVE-2018-13355P4MEDIUMCVSS 6.5v3.1.032018-11-27
CVE-2018-13355 [MEDIUM] CWE-732 CVE-2018-13355: Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to creat
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
nvd
CVE-2018-13337P4MEDIUMCVSS 5.4v3.1.032018-11-27
CVE-2018-13337 [MEDIUM] CWE-384 CVE-2018-13337: Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to contr
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
nvd
CVE-2018-13360P4MEDIUMCVSS 6.1v3.1.032018-11-27
CVE-2018-13360 [MEDIUM] CWE-79 CVE-2018-13360: Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute Ja
Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
nvd
1 / 2Next →