This page lists publicly disclosed CVE vulnerabilities affecting terra-master terramaster_operating_system (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-24989 | TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used. | [email protected] | 9.8 | 83.68% | 2023-08-20 | 2024-11-21 |
| CVE-2022-24990 KEV | TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. | [email protected] | 7.5 | 94.40% | 2023-02-07 | 2025-11-07 |
| CVE-2020-35665 | An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. | [email protected] | 9.8 | 88.61% | 2020-12-23 | 2024-11-21 |
| CVE-2018-13418 | System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter. | [email protected] | 8.8 | 11.98% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13361 | User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter. | [email protected] | 5.3 | 0.32% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13360 | Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter. | [email protected] | 6.1 | 0.24% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13359 | Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter. | [email protected] | 8.8 | 0.61% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13358 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter. | [email protected] | 8.8 | 15.58% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13357 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names. | [email protected] | 5.4 | 0.17% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13356 | Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions. | [email protected] | 8.8 | 0.48% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13355 | Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization. | [email protected] | 6.5 | 0.15% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13354 | System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter. | [email protected] | 9.8 | 16.21% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13353 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. | [email protected] | 8.8 | 16.27% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13352 | Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory. | [email protected] | 7.5 | 0.32% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13351 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form. | [email protected] | 4.8 | 0.17% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13350 | SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter. | [email protected] | 9.8 | 0.36% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13349 | Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username. | [email protected] | 6.1 | 0.24% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13338 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation. | [email protected] | 9.8 | 12.49% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13336 | System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation. | [email protected] | 9.8 | 12.49% | 2018-11-27 | 2024-11-21 |
| CVE-2018-13335 | Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions. | [email protected] | 5.4 | 0.17% | 2018-11-27 | 2024-11-21 |