Adm
by Asustor
CVEs (45)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-12306 | Hig | 0.49 | 7.5 | 0.02 | Dec 4, 2018 | Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the "file1" URL parameter, a similar issue to CVE-2018-11344. | ||
| CVE-2018-11341 | Hig | 0.47 | 7.2 | 0.02 | May 22, 2018 | Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter. | ||
| CVE-2025-7699 | Hig | 0.46 | — | 0.00 | Jul 16, 2025 | An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter… | ||
| CVE-2023-2509 | Hig | 0.46 | 7.1 | 0.00 | May 17, 2023 | A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with… | ||
| CVE-2023-30770 | Hig | 0.46 | 7.1 | 0.01 | Apr 17, 2023 | A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71… | ||
| CVE-2022-37398 | Hig | 0.46 | 7.1 | 0.01 | Aug 5, 2022 | A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as… | ||
| CVE-2018-12315 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password. | ||
| CVE-2018-12308 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encrypt_key" URL parameter. | ||
| CVE-2018-11344 | Med | 0.42 | 6.5 | 0.01 | May 22, 2018 | A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter. | ||
| CVE-2018-12305 | Med | 0.40 | 6.1 | 0.01 | Dec 4, 2018 | Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript. | ||
| CVE-2025-7378 | Med | 0.39 | — | 0.00 | Jul 9, 2025 | An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This… | ||
| CVE-2018-12311 | Med | 0.35 | 5.4 | 0.01 | Dec 4, 2018 | Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename. | ||
| CVE-2018-12310 | Med | 0.35 | 5.4 | 0.01 | Dec 4, 2018 | Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature. | ||
| CVE-2025-7618 | Med | 0.31 | — | 0.00 | Jul 14, 2025 | A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information… | ||
| CVE-2025-7380 | Med | 0.31 | — | 0.00 | Jul 14, 2025 | A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the… | ||
| CVE-2018-11342 | Med | 0.28 | 4.3 | 0.01 | May 22, 2018 | A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter. | ||
| CVE-2026-3179 | 0.00 | — | 0.00 | Feb 25, 2026 | The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup… | |||
| CVE-2026-3100 | 0.00 | — | 0.00 | Feb 25, 2026 | The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM)… | |||
| CVE-2026-24936 | 0.00 | — | 0.01 | Feb 3, 2026 | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this… | |||
| CVE-2026-24935 | 0.00 | — | 0.00 | Feb 3, 2026 | A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel… |
- risk 0.49cvss 7.5epss 0.02
Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the "file1" URL parameter, a similar issue to CVE-2018-11344.
- risk 0.47cvss 7.2epss 0.02
Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter.
- risk 0.46cvss —epss 0.00
An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter…
- risk 0.46cvss 7.1epss 0.00
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with…
- risk 0.46cvss 7.1epss 0.01
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71…
- risk 0.46cvss 7.1epss 0.01
A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as…
- risk 0.42cvss 6.5epss 0.01
Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password.
- risk 0.42cvss 6.5epss 0.01
Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encrypt_key" URL parameter.
- risk 0.42cvss 6.5epss 0.01
A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript.
- risk 0.39cvss —epss 0.00
An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This…
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature.
- risk 0.31cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information…
- risk 0.31cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the…
- risk 0.28cvss 4.3epss 0.01
A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter.
- CVE-2026-3179Feb 25, 2026risk 0.00cvss —epss 0.00
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup…
- CVE-2026-3100Feb 25, 2026risk 0.00cvss —epss 0.00
The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM)…
- CVE-2026-24936Feb 3, 2026risk 0.00cvss —epss 0.01
When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this…
- CVE-2026-24935Feb 3, 2026risk 0.00cvss —epss 0.00
A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel…
Page 2 of 3