Terra-master Terramaster Operating System — known CVE vulnerabilities
Every CVE whose affected-product data names Terra-master Terramaster Operating System, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (28)
CVE-2018-13350 — CVSS 9.8 (critical): SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter.
CVE-2020-35665 — CVSS 9.8 (critical): An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter…
CVE-2017-9328 — CVSS 9.8 (critical): Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code…
CVE-2018-13336 — CVSS 9.8 (critical): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd"…
CVE-2018-13338 — CVSS 9.8 (critical): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username"…
CVE-2018-13354 — CVSS 9.8 (critical): System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event"…
CVE-2022-24989 — CVSS 9.8 (critical): TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for…
CVE-2018-13353 — CVSS 8.8 (high): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport"…
CVE-2018-13359 — CVSS 8.8 (high): Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
CVE-2018-13358 — CVSS 8.8 (high): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName"…
CVE-2018-13356 — CVSS 8.8 (high): Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
CVE-2018-13418 — CVSS 8.8 (high): System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
CVE-2018-13332 — CVSS 7.5 (high): Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations…
CVE-2018-13352 — CVSS 7.5 (high): Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a…
CVE-2018-13330 — CVSS 7.2 (high): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group…
CVE-2018-13355 — CVSS 6.5 (medium): Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper…
CVE-2018-13329 — CVSS 6.1 (medium): Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter.
CVE-2018-13349 — CVSS 6.1 (medium): Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's…
CVE-2018-13334 — CVSS 6.1 (medium): Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]"…
CVE-2018-13360 — CVSS 6.1 (medium): Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL…
CVE-2018-13333 — CVSS 6.1 (medium): Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by…
CVE-2018-13331 — CVSS 6.1 (medium): Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by…
CVE-2018-13357 — CVSS 5.4 (medium): Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders…
CVE-2018-13335 — CVSS 5.4 (medium): Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders…
CVE-2018-13337 — CVSS 5.4 (medium): Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via…
CVE-2018-13361 — CVSS 5.3 (medium): User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
CVE-2018-13351 — CVSS 4.8 (medium): Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form.