Show filters
28 Total Results
Displaying 1-10 of 28
Sort by:
Attacker Value
Very High

CVE-2022-24990

Disclosure Date: February 07, 2023 (last updated October 08, 2023)
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Attack Vector: NetworkPrivileges: NoneUser Interaction: None
4
2
Attacker Value
Very High

CVE-2020-35665

Disclosure Date: December 23, 2020 (last updated February 22, 2025)
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
Attack Vector: NetworkPrivileges: NoneUser Interaction: None
2
1
Attacker Value
Unknown

CVE-2022-24989

Disclosure Date: August 20, 2023 (last updated October 08, 2023)
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Attack Vector: NetworkPrivileges: NoneUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2018-13332

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.
0
0
Attacker Value
Unknown

CVE-2018-13352

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory.
0
0
Attacker Value
Unknown

CVE-2018-13357

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.
0
0
Attacker Value
Unknown

CVE-2018-13359

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
0
0
Attacker Value
Unknown

CVE-2018-13361

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
0
0
Attacker Value
Unknown

CVE-2018-13331

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.
0
0
Attacker Value
Unknown

CVE-2018-13351

Disclosure Date: November 27, 2018 (last updated November 27, 2024)
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.
0
0
View More Topics  Next >