In 2020, IHTeam performed a security review of the TOS version 4.2.06 and identified the following:
- CVE-2020-28184 – XSS
- CVE-2020-28185 – User Enumeration
- CVE-2020-28186 – Email Injection
- CVE-2020-28187 – Directory Traversal
- CVE-2020-28188 – Remote Command Execution
- CVE-2020-28190 – Software Update Man-in-the-middle
- CVE-2020-29189 – Incorrect Access Control
Recommendations
TerraMaster confirms that fixes will be implemented in version 4.2.07. Please check for the updates.
References
- TerraMaster TOS Multiple Vulnerabilities (https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/)
CVE-2020-28184, CVE-2020-28185, CVE-2020-28186, CVE-2020-28187, CVE-2020-28188, CVE-2020-28190, CVE-2020-28189