Shodan
Vulnerabilities
Vulnerable Software
Terra-Master:  >> Terramaster Operating System  >> 3.1.03  Security Vulnerabilities
CVE-2022-24989
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
CVSS Score
9.8
EPSS Score
0.776
Published
2023-08-20
CVE-2022-24990
Known exploited
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVSS Score
7.5
EPSS Score
0.944
Published
2023-02-07
CVE-2020-35665
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
CVSS Score
9.8
EPSS Score
0.894
Published
2020-12-23
CVE-2018-13359
Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter.
CVSS Score
8.8
EPSS Score
0.026
Published
2018-11-27
CVE-2018-13360
Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-27
CVE-2018-13361
User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter.
CVSS Score
5.3
EPSS Score
0.016
Published
2018-11-27
CVE-2018-13418
System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
CVSS Score
8.8
EPSS Score
0.12
Published
2018-11-27
CVE-2018-13330
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.
CVSS Score
7.2
EPSS Score
0.126
Published
2018-11-27
CVE-2018-13331
Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-27
CVE-2018-13332
Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-11-27


Products
Pricing
Contact Us

Shodan ® - All rights reserved