Filtered by vendor Terra-master Subscriptions
Filtered by product Terramaster Operating System Subscriptions
Total 28 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-24990 1 Terra-master 30 F2-210, F2-221, F2-223 and 27 more 2024-11-21 7.5 High
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVE-2022-24989 1 Terra-master 30 F2-210, F2-221, F2-223 and 27 more 2024-11-21 9.8 Critical
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
CVE-2020-35665 1 Terra-master 1 Terramaster Operating System 2024-11-21 9.8 Critical
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
CVE-2018-13418 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
CVE-2018-13361 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
CVE-2018-13360 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
CVE-2018-13359 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
CVE-2018-13358 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
CVE-2018-13357 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.
CVE-2018-13356 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
CVE-2018-13355 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
CVE-2018-13354 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
CVE-2018-13353 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
CVE-2018-13352 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.
CVE-2018-13351 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.
CVE-2018-13350 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
CVE-2018-13349 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username.
CVE-2018-13338 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
CVE-2018-13337 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
CVE-2018-13336 1 Terra-master 1 Terramaster Operating System 2024-11-21 N/A
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.