Terra-master

Tos

15 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.4

CVE-2024-34539

  • EPSS 0.52%
  • Veröffentlicht 14.06.2024 15:15:50
  • Zuletzt bearbeitet 21.11.2024 09:18:53

Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions.

9

CVE-2021-45836

Exploit
  • EPSS 0.72%
  • Veröffentlicht 25.04.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:07

An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.

10

CVE-2021-45837

Exploit
  • EPSS 81.08%
  • Veröffentlicht 25.04.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:07

It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.

6.5

CVE-2021-45839

Exploit
  • EPSS 54%
  • Veröffentlicht 25.04.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:07

It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module...

10

CVE-2021-45840

Exploit
  • EPSS 1.95%
  • Veröffentlicht 25.04.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:07

It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending specifically crafted input to /tos/index.php?app/app_start_stop.

8.1

CVE-2021-45841

Exploit
  • EPSS 65.51%
  • Veröffentlicht 25.04.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:08

In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow...

7.5

CVE-2021-45842

Exploit
  • EPSS 0.61%
  • Veröffentlicht 25.04.2022 11:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:08

It is possible to obtain the first administrator's hash set up in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) on the system as well as other information such as MAC address, internal IP address etc. by performing a request to the /module...

10

CVE-2020-15568

Exploit
  • EPSS 93.31%
  • Veröffentlicht 30.01.2021 05:15:12
  • Zuletzt bearbeitet 21.11.2024 05:05:45

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for...

5.4

CVE-2020-28184

Exploit
  • EPSS 0.24%
  • Veröffentlicht 24.12.2020 15:15:13
  • Zuletzt bearbeitet 21.11.2024 05:22:26

Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.

5.3

CVE-2020-28185

Exploit
  • EPSS 90.66%
  • Veröffentlicht 24.12.2020 15:15:13
  • Zuletzt bearbeitet 21.11.2024 05:22:26

User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.