CVE-2025-7618

CVE-2025-7618 is a stored Cross-Site Scripting (XSS) vulnerability found in the File Explorer and Text Editor components of ASUSTOR Data Manager (ADM). The root cause is insufficient sanitization of user-supplied input within these applications, allowing an attacker to store malicious scripts on the server that are later executed in the context of a victim's browser session [1].

The attack requires an attacker with low privileges to interact with the vulnerable components and induce a user to view the stored content (user interaction required). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:A) indicates the attack can be performed over the network with low complexity and no attack resources, but the attacker must have a valid low-privilege account on the ADM system [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript within the victim's browser when the stored content is accessed. This can be used to steal cookies, session tokens, or other sensitive information retained by the browser for the affected applications, potentially leading to account impersonation or data exfiltration [1].

The vulnerability affects ADM versions 4.1.0 through 4.3.3.RH61 and ADM 5.0.0.RIN1 and earlier, as well as Text Editor version 1.0.0.r112 and earlier. ASUSTOR has released fixes: upgrade to ADM 5.0.0.RJG2 or ADM 4.3.3.RJH1, or later, to remediate the issue [1].