GCVE - cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*

part: o version: * update: *

Vendor	Terra Master (`d89fe82a-9386-553b-9a83-7412a03e5915`)
Product	Tos (`d5bb3ff4-b89c-586d-8050-149b9baaebb8`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-34539`	vulnerable	2026-06-03 14:55:54.210355	Details available Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged actions. Published: 2024-06-14T00:00:00.000Z Updated: 2024-08-02T02:59:20.976Z Open on db.gcve.eu Reference links https://shinnai.altervista.org/exploits/SH-20240611-CVE-2024-34539.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-29189`	vulnerable	2026-06-03 14:42:29.275568	Details available Incorrect Access Control vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated attackers to bypass read-only restriction and obtain full access to any folder within the NAS Published: 2020-12-24T14:36:59.000Z Updated: 2024-08-04T16:48:01.685Z Open on db.gcve.eu Reference links http://terramaster.com https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28190`	vulnerable	2026-06-03 14:42:19.116214	Details available TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a weaponized/infected version of applications or updates. Published: 2020-12-24T14:34:32.000Z Updated: 2024-08-04T16:33:57.797Z Open on db.gcve.eu Reference links https://www.terra-master.com/ https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28188`	vulnerable	2026-06-03 14:42:19.115865	Details available Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter. Published: 2020-12-24T00:00:00.000Z Updated: 2024-08-04T16:33:58.217Z Open on db.gcve.eu Reference links https://www.terra-master.com/ https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28187`	vulnerable	2026-06-03 14:42:19.115577	Details available Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php. Published: 2020-12-24T14:31:58.000Z Updated: 2024-08-04T16:33:58.311Z Open on db.gcve.eu Reference links https://www.terra-master.com/ https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28186`	vulnerable	2026-06-03 14:42:19.115271	Details available Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. Published: 2020-12-24T14:30:11.000Z Updated: 2024-08-04T16:33:57.924Z Open on db.gcve.eu Reference links https://www.terra-master.com/ https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28185`	vulnerable	2026-06-03 14:42:19.114950	Details available User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. Published: 2020-12-24T14:26:55.000Z Updated: 2024-08-04T16:33:57.804Z Open on db.gcve.eu Reference links https://www.terra-master.com/ https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-28184`	vulnerable	2026-06-03 14:42:19.114567	Details available Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php. Published: 2020-12-24T14:28:16.000Z Updated: 2024-08-04T16:33:57.796Z Open on db.gcve.eu Reference links https://www.terra-master.com/ https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-15568`	vulnerable	2026-06-03 14:41:46.032138	Details available TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. Published: 2021-01-30T04:59:40.000Z Updated: 2024-08-04T13:22:29.264Z Open on db.gcve.eu Reference links https://help.terra-master.com/TOS/view/ https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.