Vulnerabilities > Terra Master > TOS > 4.0.17

DATE CVE VULNERABILITY TITLE RISK
2021-01-30 CVE-2020-15568 Improper Control of Dynamically-Managed Code Resources vulnerability in Terra-Master TOS
TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root.
network
low complexity
terra-master CWE-913
critical
9.8
2020-12-24 CVE-2020-29189 Unspecified vulnerability in Terra-Master TOS
Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS
network
low complexity
terra-master
8.1
2020-12-24 CVE-2020-28190 Unspecified vulnerability in Terra-Master TOS
TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP).
network
high complexity
terra-master
5.9
2020-12-24 CVE-2020-28188 OS Command Injection vulnerability in Terra-Master TOS
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
network
low complexity
terra-master CWE-78
critical
9.8
2020-12-24 CVE-2020-28187 Path Traversal vulnerability in Terra-Master TOS
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.
network
low complexity
terra-master CWE-22
critical
9.8
2020-12-24 CVE-2020-28186 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Terra-Master TOS
Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover.
network
low complexity
terra-master CWE-640
7.3
2020-12-24 CVE-2020-28185 Unspecified vulnerability in Terra-Master TOS
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
network
low complexity
terra-master
5.3
2020-12-24 CVE-2020-28184 Cross-site Scripting vulnerability in Terra-Master TOS
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.
network
low complexity
terra-master CWE-79
5.4