VYPR
Vendor

Asustor

Products
8
CVEs
59
Across products
67
Status
Private

Products

8

Recent CVEs

59
View all 59 CVEs →
  • CVE-2018-11510CriJun 28, 2018
    risk 0.70cvss 9.8epss 0.45

    The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.

  • CVE-2018-11511CriAug 16, 2018
    risk 0.68cvss 9.8epss 0.11

    The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.

  • CVE-2018-11509CriAug 16, 2018
    risk 0.68cvss 9.8epss 0.13

    ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.

  • CVE-2026-6643CriApr 20, 2026
    risk 0.64cvss 9.9epss 0.00

    A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker…

  • CVE-2026-6644CriApr 20, 2026
    risk 0.59cvss 9.1epss 0.01

    A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient…

  • CVE-2018-11345HigMay 22, 2018
    risk 0.57cvss 8.8epss 0.02

    An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the…

  • CVE-2018-15694HigAug 27, 2018
    risk 0.49cvss 7.5epss 0.02

    ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. This could lead to code execution if the "Web Server" feature is enabled.

  • CVE-2018-11341HigMay 22, 2018
    risk 0.47cvss 7.2epss 0.02

    Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter.

  • CVE-2018-11340HigMay 22, 2018
    risk 0.47cvss 7.2epss 0.02

    An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed.

  • CVE-2025-7699HigJul 16, 2025
    risk 0.46cvss epss 0.00

    An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter…

  • CVE-2018-15698MedAug 27, 2018
    risk 0.42cvss 6.5epss 0.01

    ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi.

  • CVE-2018-15697MedAug 27, 2018
    risk 0.42cvss 6.5epss 0.01

    ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history.

  • CVE-2018-15695MedAug 27, 2018
    risk 0.42cvss 6.5epss 0.01

    ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi.

  • CVE-2018-11344MedMay 22, 2018
    risk 0.42cvss 6.5epss 0.01

    A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter.

  • CVE-2018-15699MedAug 27, 2018
    risk 0.40cvss 6.1epss 0.01

    ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field.

  • CVE-2025-7378MedJul 9, 2025
    risk 0.39cvss epss 0.00

    An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This…

  • CVE-2018-11343MedMay 22, 2018
    risk 0.35cvss 5.4epss 0.01

    A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter.

  • CVE-2025-7379MedJul 9, 2025
    risk 0.34cvss epss 0.00

    A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before…

  • CVE-2025-7618MedJul 14, 2025
    risk 0.31cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information…

  • CVE-2025-7380MedJul 14, 2025
    risk 0.31cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the…