CVE-2020-28187

CRITICAL

TerraMaster TOS <= 4.2.06 - Authenticated Path Traversal via Multiple Parameters

Title source: llm
STIX 2.1

Description

Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.terra-master.com/
Exploit, Third Party Advisory x_refsource_misc
https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/

Scores

CVSS v3 9.8
EPSS 0.1635
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (1)
terra-master/tos < 4.2.06
Published Dec 24, 2020
Tracked Since Feb 18, 2026