Vendor CVEs
Asustor
All CVEs
59 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11510 | Cri | 0.70 | 9.8 | 0.45 | Jun 28, 2018 | The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter. | ||
| CVE-2018-11511 | Cri | 0.68 | 9.8 | 0.11 | Aug 16, 2018 | The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI. | ||
| CVE-2018-11509 | Cri | 0.68 | 9.8 | 0.13 | Aug 16, 2018 | ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell. | ||
| CVE-2026-6643 | Cri | 0.64 | 9.9 | 0.00 | Apr 20, 2026 | A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker… | ||
| CVE-2026-6644 | Cri | 0.59 | 9.1 | 0.01 | Apr 20, 2026 | A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient… | ||
| CVE-2018-11345 | Hig | 0.57 | 8.8 | 0.02 | May 22, 2018 | An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the… | ||
| CVE-2018-15694 | Hig | 0.49 | 7.5 | 0.02 | Aug 27, 2018 | ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. This could lead to code execution if the "Web Server" feature is enabled. | ||
| CVE-2018-11341 | Hig | 0.47 | 7.2 | 0.02 | May 22, 2018 | Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter. | ||
| CVE-2018-11340 | Hig | 0.47 | 7.2 | 0.02 | May 22, 2018 | An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed. | ||
| CVE-2025-7699 | Hig | 0.46 | — | 0.00 | Jul 16, 2025 | An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter… | ||
| CVE-2018-15698 | Med | 0.42 | 6.5 | 0.01 | Aug 27, 2018 | ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi. | ||
| CVE-2018-15697 | Med | 0.42 | 6.5 | 0.01 | Aug 27, 2018 | ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history. | ||
| CVE-2018-15695 | Med | 0.42 | 6.5 | 0.01 | Aug 27, 2018 | ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi. | ||
| CVE-2018-11344 | Med | 0.42 | 6.5 | 0.01 | May 22, 2018 | A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter. | ||
| CVE-2018-15699 | Med | 0.40 | 6.1 | 0.01 | Aug 27, 2018 | ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field. | ||
| CVE-2025-7378 | Med | 0.39 | — | 0.00 | Jul 9, 2025 | An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This… | ||
| CVE-2018-11343 | Med | 0.35 | 5.4 | 0.01 | May 22, 2018 | A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter. | ||
| CVE-2025-7379 | Med | 0.34 | — | 0.00 | Jul 9, 2025 | A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before… | ||
| CVE-2025-7618 | Med | 0.31 | — | 0.00 | Jul 14, 2025 | A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information… | ||
| CVE-2025-7380 | Med | 0.31 | — | 0.00 | Jul 14, 2025 | A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the… | ||
| CVE-2018-15696 | Med | 0.28 | 4.3 | 0.01 | Aug 27, 2018 | ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi. | ||
| CVE-2018-11346 | Med | 0.28 | 4.3 | 0.01 | May 22, 2018 | An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter. | ||
| CVE-2018-11342 | Med | 0.28 | 4.3 | 0.01 | May 22, 2018 | A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter. | ||
| CVE-2018-12307 | 0.01 | — | 0.03 | Dec 4, 2018 | OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter. | |||
| CVE-2018-12316 | 0.01 | — | 0.03 | Dec 4, 2018 | OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter. | |||
| CVE-2018-12317 | 0.01 | — | 0.03 | Dec 4, 2018 | OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the "name" POST parameter. | |||
| CVE-2018-12312 | 0.01 | — | 0.03 | Dec 4, 2018 | OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter. | |||
| CVE-2026-3179 | 0.00 | — | 0.00 | Feb 25, 2026 | The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup… | |||
| CVE-2026-3100 | 0.00 | — | 0.00 | Feb 25, 2026 | The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM)… | |||
| CVE-2026-24936 | 0.00 | — | 0.01 | Feb 3, 2026 | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this… | |||
| CVE-2026-24935 | 0.00 | — | 0.00 | Feb 3, 2026 | A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel… | |||
| CVE-2026-24934 | 0.00 | — | 0.00 | Feb 3, 2026 | The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the… | |||
| CVE-2026-24933 | 0.00 | — | 0.00 | Feb 3, 2026 | The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the… | |||
| CVE-2026-24932 | 0.00 | — | 0.00 | Feb 3, 2026 | The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a… | |||
| CVE-2025-13053 | 0.00 | — | 0.00 | Dec 12, 2025 | When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the… | |||
| CVE-2025-13052 | 0.00 | — | 0.00 | Dec 12, 2025 | When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may… | |||
| CVE-2023-4475 | 0.00 | — | 0.00 | Aug 22, 2023 | An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and… | |||
| CVE-2023-3699 | 0.00 | — | 0.00 | Aug 22, 2023 | An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below. | |||
| CVE-2023-3698 | 0.00 | — | 0.01 | Aug 17, 2023 | Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below. | |||
| CVE-2023-3697 | 0.00 | — | 0.01 | Aug 17, 2023 | Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below. | |||
| CVE-2023-2910 | 0.00 | — | 0.01 | Aug 17, 2023 | Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions… | |||
| CVE-2023-2909 | 0.00 | — | 0.01 | May 31, 2023 | EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below. | |||
| CVE-2023-2509 | 0.00 | — | 0.00 | May 17, 2023 | A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with… | |||
| CVE-2023-30770 | 0.00 | — | 0.01 | Apr 17, 2023 | A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71… | |||
| CVE-2022-37398 | 0.00 | — | 0.01 | Aug 5, 2022 | A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as… | |||
| CVE-2022-27512 | 0.00 | — | 0.01 | Jun 16, 2022 | Temporary disruption of the ADM license service. The impact of this includes preventing new licenses from being issued or renewed by Citrix ADM. | |||
| CVE-2019-11689 | 0.00 | — | 0.03 | Mar 18, 2020 | An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl fail to properly validate server responses and pass unsanitized text to the system shell, resulting in code execution as root. | |||
| CVE-2019-11688 | 0.00 | — | 0.01 | Mar 18, 2020 | An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl accept any certificate for asustornasapi.asustor.com. In other words, there is Missing SSL Certificate Validation. | |||
| CVE-2018-12313 | 0.00 | — | 0.04 | Dec 4, 2018 | OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter. | |||
| CVE-2018-12318 | 0.00 | — | 0.01 | Dec 4, 2018 | Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext. |
- risk 0.70cvss 9.8epss 0.45
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
- risk 0.68cvss 9.8epss 0.11
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
- risk 0.68cvss 9.8epss 0.13
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.
- risk 0.64cvss 9.9epss 0.00
A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker…
- risk 0.59cvss 9.1epss 0.01
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient…
- risk 0.57cvss 8.8epss 0.02
An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the…
- risk 0.49cvss 7.5epss 0.02
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. This could lead to code execution if the "Web Server" feature is enabled.
- risk 0.47cvss 7.2epss 0.02
Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter.
- risk 0.47cvss 7.2epss 0.02
An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed.
- risk 0.46cvss —epss 0.00
An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter…
- risk 0.42cvss 6.5epss 0.01
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi.
- risk 0.42cvss 6.5epss 0.01
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history.
- risk 0.42cvss 6.5epss 0.01
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi.
- risk 0.42cvss 6.5epss 0.01
A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter.
- risk 0.40cvss 6.1epss 0.01
ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field.
- risk 0.39cvss —epss 0.00
An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This…
- risk 0.35cvss 5.4epss 0.01
A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter.
- risk 0.34cvss —epss 0.00
A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before…
- risk 0.31cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information…
- risk 0.31cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the…
- risk 0.28cvss 4.3epss 0.01
ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi.
- risk 0.28cvss 4.3epss 0.01
An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter.
- risk 0.28cvss 4.3epss 0.01
A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter.
- CVE-2018-12307Dec 4, 2018risk 0.01cvss —epss 0.03
OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter.
- CVE-2018-12316Dec 4, 2018risk 0.01cvss —epss 0.03
OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter.
- CVE-2018-12317Dec 4, 2018risk 0.01cvss —epss 0.03
OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the "name" POST parameter.
- CVE-2018-12312Dec 4, 2018risk 0.01cvss —epss 0.03
OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter.
- CVE-2026-3179Feb 25, 2026risk 0.00cvss —epss 0.00
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup…
- CVE-2026-3100Feb 25, 2026risk 0.00cvss —epss 0.00
The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM)…
- CVE-2026-24936Feb 3, 2026risk 0.00cvss —epss 0.01
When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this…
- CVE-2026-24935Feb 3, 2026risk 0.00cvss —epss 0.00
A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel…
- CVE-2026-24934Feb 3, 2026risk 0.00cvss —epss 0.00
The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the…
- CVE-2026-24933Feb 3, 2026risk 0.00cvss —epss 0.00
The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the…
- CVE-2026-24932Feb 3, 2026risk 0.00cvss —epss 0.00
The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a…
- CVE-2025-13053Dec 12, 2025risk 0.00cvss —epss 0.00
When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the…
- CVE-2025-13052Dec 12, 2025risk 0.00cvss —epss 0.00
When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may…
- CVE-2023-4475Aug 22, 2023risk 0.00cvss —epss 0.00
An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and…
- CVE-2023-3699Aug 22, 2023risk 0.00cvss —epss 0.00
An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
- CVE-2023-3698Aug 17, 2023risk 0.00cvss —epss 0.01
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
- CVE-2023-3697Aug 17, 2023risk 0.00cvss —epss 0.01
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
- CVE-2023-2910Aug 17, 2023risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions…
- CVE-2023-2909May 31, 2023risk 0.00cvss —epss 0.01
EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.
- CVE-2023-2509May 17, 2023risk 0.00cvss —epss 0.00
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with…
- CVE-2023-30770Apr 17, 2023risk 0.00cvss —epss 0.01
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71…
- CVE-2022-37398Aug 5, 2022risk 0.00cvss —epss 0.01
A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as…
- CVE-2022-27512Jun 16, 2022risk 0.00cvss —epss 0.01
Temporary disruption of the ADM license service. The impact of this includes preventing new licenses from being issued or renewed by Citrix ADM.
- CVE-2019-11689Mar 18, 2020risk 0.00cvss —epss 0.03
An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl fail to properly validate server responses and pass unsanitized text to the system shell, resulting in code execution as root.
- CVE-2019-11688Mar 18, 2020risk 0.00cvss —epss 0.01
An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl accept any certificate for asustornasapi.asustor.com. In other words, there is Missing SSL Certificate Validation.
- CVE-2018-12313Dec 4, 2018risk 0.00cvss —epss 0.04
OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter.
- CVE-2018-12318Dec 4, 2018risk 0.00cvss —epss 0.01
Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext.
Page 1 of 2