Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In 2018
CVE-2018-13355
Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-11-27
CVE-2018-13356
Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-11-27
CVE-2018-13357
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-11-27
CVE-2018-13358
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
CVSS Score
8.8
EPSS Score
0.204
Published
2018-11-27
CVE-2018-0719
Cross-site Scripting (XSS) vulnerability in NAS devices of QNAP Systems Inc. QTS allows attackers to inject javascript. This issue affects: QNAP Systems Inc. QTS version 4.2.6 and prior versions on build 20180711; version 4.3.3 and prior versions on build 20180725; version 4.3.4 and prior versions on build 20180710.
CVSS Score
5.5
EPSS Score
0.002
Published
2018-11-27
CVE-2018-10142
The Expedition Migration tool 1.0.106 and earlier may allow an unauthenticated attacker to enumerate files on the operating system.
CVSS Score
7.5
EPSS Score
0.007
Published
2018-11-27
CVE-2018-13022
Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-27
CVE-2018-13023
System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter.
CVSS Score
8.8
EPSS Score
0.204
Published
2018-11-27
CVE-2018-13306
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
CVSS Score
9.8
EPSS Score
0.153
Published
2018-11-27
CVE-2018-13307
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
CVSS Score
9.8
EPSS Score
0.153
Published
2018-11-27


Products
Pricing
Contact Us

Shodan ® - All rights reserved