CVE-2020-28187
CRITICAL WAF: High
CVSS 9.8
Published: 2020-12-24
CWE-22
Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| terra-master | tos | up to 4.2.06 |
References
- www.ihteam.net (Exploit, Third Party Advisory)
- www.terra-master.com (Vendor Advisory)