Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated malicious users to abuse the forget password functionality and achieve account takeover.
terra-master tos