CVE-2020-15568

Name of the Vulnerable Software and Affected Versions TerraMaster TOS versions prior to 4.1.29

Description The issue is related to Invalid Parameter Checking, which leads to code injection as root. This is a dynamic class method invocation vulnerability in the include/exportUser.php file. An attacker can trigger a call to the exec method with OS commands in the opt parameter.

Recommendations For versions prior to 4.1.29, update to version 4.1.29 or later to resolve the issue. As a temporary workaround, consider restricting access to the include/exportUser.php file to minimize the risk of exploitation. Avoid using the opt parameter in the affected API endpoint until the issue is resolved.