Terramaster Tos Any Account Password Modification Vulnerability Cve 2020 28186
Terramaster Tos Any Account Password Modification Vulnerability Cve 2020 28186
TerraMaster TOS Any account password modification vulnerability CVE-2020-28186
Vulnerability Description
Email injection in TerraMaster TOS <= 4.2.06 allows unauthenticated remote attackers to reset their account passwords to achieve account takeover using the forget password function.
Vulnerability Impact
TerraMaster TOS < 4.2.06
Network surveying and mapping
“TerraMaster” && header=”TOS”
Vulnerability reappears
First of all, you need to know the known user name. You can refer to TerraMaster TOS user enumeration vulnerability CVE-2020-28185 to obtain the known user name
Enter the account and email address you obtained on the reset page
Click OK to grab the packet and change the email address to receive the verification code
You can change your account password and log in to the background through the received verification code
This post is licensed under CC BY 4.0 by the author.