Vulnerabilities > Terra Master

DATE CVE VULNERABILITY TITLE RISK
2021-04-03 CVE-2021-30127 Incorrect Authorization vulnerability in Terra-Master F2-210 Firmware 4.0.19
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation.
network
low complexity
terra-master CWE-863
7.5
2021-01-30 CVE-2020-15568 OS Command Injection vulnerability in Terra-Master TOS
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root.
network
low complexity
terra-master CWE-78
critical
10.0
2020-12-24 CVE-2020-29189 Incorrect Authorization vulnerability in Terra-Master TOS
Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS
network
low complexity
terra-master CWE-863
5.5
2020-12-24 CVE-2020-28190 Unspecified vulnerability in Terra-Master TOS
TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP).
network
terra-master
4.3
2020-12-24 CVE-2020-28188 OS Command Injection vulnerability in Terra-Master TOS
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
network
low complexity
terra-master CWE-78
critical
10.0
2020-12-24 CVE-2020-28187 Path Traversal vulnerability in Terra-Master TOS
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.
network
low complexity
terra-master CWE-22
critical
10.0
2020-12-24 CVE-2020-28186 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Terra-Master TOS
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
6.8
2020-12-24 CVE-2020-28185 Unspecified vulnerability in Terra-Master TOS
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
network
low complexity
terra-master
5.0
2020-12-24 CVE-2020-28184 Cross-site Scripting vulnerability in Terra-Master TOS
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
3.5
2020-12-23 CVE-2020-35665 Unrestricted Upload of File with Dangerous Type vulnerability in Terra-Master Terramaster Operating System 3.0.33/3.1.03/4.2.06
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
network
low complexity
terra-master CWE-434
critical
10.0