CVE-2020-28188

Name of the Vulnerable Software and Affected Versions: TerraMaster TOS versions <= 4.2.06

Description: The issue is related to the "Event" parameter in the /include/makecvs.php file of the TerraMaster TOS operating system, which fails to neutralize special elements used in operating system commands. This can be exploited by a remote attacker to execute arbitrary code. The vulnerability allows remote unauthenticated attackers to inject OS commands via the "Event" parameter in the /include/makecvs.php file.

Recommendations: For TerraMaster TOS versions <= 4.2.06, update to a version later than 4.2.06 to resolve the issue. As a temporary workaround, consider restricting access to the /include/makecvs.php file and the Event parameter to minimize the risk of exploitation.