Vulnerabilities > Terra Master

DATE CVE VULNERABILITY TITLE RISK
2020-12-24 CVE-2020-29189 Incorrect Authorization vulnerability in Terra-Master TOS
Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS
network
low complexity
terra-master CWE-863
5.5
2020-12-24 CVE-2020-28190 Unspecified vulnerability in Terra-Master TOS
TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP).
network
terra-master
4.3
2020-12-24 CVE-2020-28188 OS Command Injection vulnerability in Terra-Master TOS
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
network
low complexity
terra-master CWE-78
critical
10.0
2020-12-24 CVE-2020-28187 Path Traversal vulnerability in Terra-Master TOS
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.
network
low complexity
terra-master CWE-22
critical
10.0
2020-12-24 CVE-2020-28186 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Terra-Master TOS
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
6.8
2020-12-24 CVE-2020-28185 Unspecified vulnerability in Terra-Master TOS
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
network
low complexity
terra-master
5.0
2020-12-24 CVE-2020-28184 Cross-Site Scripting vulnerability in Terra-Master TOS
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
3.5
2020-12-23 CVE-2020-35665 Unrestricted Upload of File With Dangerous Type vulnerability in Terra-Master Terramaster Operating System 3.1.03/4.2.06
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
network
low complexity
terra-master CWE-434
critical
10.0
2019-10-28 CVE-2019-18195 Unspecified vulnerability in Terra-Master F2-210 Firmware 4.0.19
An issue was discovered on TerraMaster FS-210 4.0.19 devices.
network
low complexity
terra-master
6.5
2019-10-23 CVE-2019-18385 Information Exposure Through LOG Files vulnerability in Terra-Master Fs-210 Firmware 4.0.19
An issue was discovered on TerraMaster FS-210 4.0.19 devices.
network
low complexity
terra-master CWE-532
5.0