Tos Security Vulnerabilities and Issues — Tos CVE List

Lucene search

Terra-masterTos

15 matches found

CVE•added 2020/12/24 3:15 p.m.•230 views

CVE-2020-28188

Remote Command Execution (RCE) vulnerability in TerraMaster TOS

10CVSS9.6AI score0.9344EPSS

CVE•added 2021/01/30 5:15 a.m.•203 views

CVE-2020-15568

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

10CVSS9.6AI score0.9312EPSS

CVE•added 2022/04/25 11:15 a.m.•164 views

CVE-2021-45837

It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.

10CVSS9.6AI score0.80774EPSS

CVE•added 2022/04/25 11:15 a.m.•152 views

CVE-2021-45839

It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint.

6.5CVSS7.6AI score0.48962EPSS

CVE•added 2022/04/25 11:15 a.m.•151 views

CVE-2021-45841

In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.

8.1CVSS8.9AI score0.61173EPSS

CVE•added 2022/04/25 11:15 a.m.•77 views

CVE-2021-45842

It is possible to obtain the first administrator's hash set up in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) on the system as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/wapNasIPS endpoint.

7.5CVSS7.7AI score0.00583EPSS

CVE•added 2022/04/25 11:15 a.m.•73 views

CVE-2021-45840

It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending specifically crafted input to /tos/index.php?app/app_start_stop.

10CVSS9.7AI score0.01854EPSS

CVE•added 2020/12/24 3:15 p.m.•56 views

CVE-2020-28185

User Enumeration vulnerability in TerraMaster TOS

5.3CVSS5.7AI score0.88628EPSS

CVE•added 2022/04/25 11:15 a.m.•52 views

CVE-2021-45836

An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.

9CVSS8.8AI score0.00751EPSS

CVE•added 2020/12/24 3:15 p.m.•50 views

CVE-2020-28187

Multiple directory traversal vulnerabilities in TerraMaster TOS

10CVSS9.1AI score0.64157EPSS

CVE•added 2020/12/24 3:15 p.m.•45 views

CVE-2020-28186

Email Injection in TerraMaster TOS

7.3CVSS8AI score0.30022EPSS

CVE•added 2020/12/24 3:15 p.m.•44 views

CVE-2020-29189

Incorrect Access Control vulnerability in TerraMaster TOS

8.1CVSS8.1AI score0.0022EPSS

CVE•added 2020/12/24 3:15 p.m.•42 views

CVE-2020-28190

TerraMaster TOS

5.9CVSS6.6AI score0.00241EPSS

CVE•added 2020/12/24 3:15 p.m.•41 views

CVE-2020-28184

Cross-site scripting (XSS) vulnerability in TerraMaster TOS

5.4CVSS5.6AI score0.00242EPSS

CVE•added 2024/06/14 3:15 p.m.•35 views

CVE-2024-34539

Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions.

9.4CVSS6.8AI score0.00302EPSS