37 matches found
CVE-2018-15696
ASUSTOR Data Master (ADM) prior to 3.1.6 is affected by CVE-2018-15696: authenticated remote non-administrative users can enumerate all user accounts via user.cgi. Vulnerability details are supported by multiple sources (e.g., NVD entry and OpenVAS plugin noting ADM < 3.1.6 includes CVE-2018-1...
CVE-2018-15697
ASUSTOR Data Master (ADM) prior to version 3.1.6 is affected by CVE-2018-15697. Authenticated non-administrative users can read any file on a shared NAS by supplying the full path in the request (example: /home/admin/.ash_history). The issue stems from a file-disclosure vulnerability in ADM 3.1.5...
CVE-2018-12312
ASUSTOR ADM 3.1.1 contains an OS command injection in user.cgi that allows an attacker to run commands as root via the secret_key URL parameter. Vulnerability is triggered through network exposure to ASUSTOR ADM's web interface, enabling arbitrary command execution with root privileges if the par...
CVE-2026-24936
CVE-2026-24936 affects ASUSTOR ADM: an improper input parameter validation flaw in a CGI program when a specific function is enabled during AD Domain join allows an unauthenticated remote attacker to write arbitrary data to any file, potentially leading to complete system compromise. Affected: AD...
CVE-2018-12313
CVE-2018-12313 affects ASUSTOR ADM 3.1.1: OS command injection in snmp.cgi exploitable without authentication via the rocommunity parameter. Impact: remote code execution with high integrity/availability risk (CVSSv3/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8). Affected component: snmp.cgi in ADM;...
CVE-2018-12318
CVE-2018-12318 relates to ASUSTOR ADM (versions including 3.1.1) where the SNMP settings page leaks the SNMP password in plaintext. The CVE is documented in multiple sources (NVD and CNVD entries) with the same basic impact: information disclosure. The root cause is an information disclosure flaw...
CVE-2018-12314
ASUSTOR ADM 3.1.1 is affected by a directory traversal vulnerability in downloadwallpaper.cgi. The issue allows an attacker to download arbitrary files by manipulating the file and folder URL parameters. This is documented in CVE-2018-12314 (NVD entry) and corroborated by CNVD-2018-25182, which d...
CVE-2018-12317
CVE-2018-12317 relates to an OS command injection in ASUSTOR ADM 3.1.1 (group.cgi) that allows an attacker to run arbitrary commands as root by altering the name POST parameter. The vulnerability is described across NVD/CNVD entries as affecting ASUSTOR ADM on the affected NAS devices, with root-...
CVE-2018-12305
The provided connected sources confirm a Cross-site scripting vulnerability in ASUSTOR ADM 3.1.1 File Explorer. Specifically, uploading SVG images with embedded JavaScript allows an attacker to execute code. Affected product: ASUSTOR ADM (File Explorer component) version 3.1.1. Root cause: improp...
CVE-2018-12307
ASUSTOR ADM version 3.1.1 is affected by an OS command injection in the user.cgi component. The vulnerability allows an attacker to execute system commands as root via the name POST parameter, enabling full compromise of the device. Descriptions across multiple feeds (NVD/NVD family and CNVD) con...
CVE-2018-12319
CVE-2018-12319 affects ASUSTOR ADM 3.1.1. The Available connected documents describe a Denial-of-Service on the login page caused by placing malformed text in the login page title, preventing users from signing in. The vulnerability impact is partial availability loss (DoS) with a high CVSS 3.0 b...
CVE-2018-15694
CVE-2018-15694 affects ASUSTOR Data Master (ADM) running on NAS devices, specifically versions 3.1.5 and earlier. A path traversal vulnerability allows authenticated remote non-administrative users to upload files to arbitrary locations, which could lead to code execution if the Web Server featur...
CVE-2018-15698
ASUSTOR Data Master (ADM) 3.1.5 and earlier: authenticated remote non-administrative users can read arbitrary files on the file system by providing the full path to loginimage.cgi. This is CVE-2018-15698 (NVD/CVE entry). The vulnerability originates from an information-disclosure flaw in ADM prio...
CVE-2023-3697
CVE-2023-3697 affects ASUSTOR ADM printers: the printer service fails to properly validate user input, enabling remote unauthorized users to traverse directories and create files beyond the intended path. Affected products/versions include ADM 4.0.6.RIS1, 4.1.0 and earlier, and ADM 4.2.2.RI61 and...
CVE-2018-12315
ASUSTOR ADM 3.1.1 contains a password verification bypass vulnerability: missing verification allows attackers to change account passwords without the current password. Affected component: ADM password handling. Root cause: inadequate password validation. Impact: unauthorized password changes (no...
CVE-2018-15695
ASUSTOR Data Master (ADM) is affected in versions 3.1.5 and earlier due to a path traversal vulnerability in wallpaper.cgi. The issue allows authenticated remote non-administrative users to delete arbitrary files on the file system. Root cause: path traversal in wallpaper.cgi. Impact per sources:...
CVE-2018-15699
Summary for CVE-2018-15699 : Affected product is ASUSTOR Data Master (ADM) web interface prior to 3.1.6. The issue arises when ADM repeatedly makes HTTP requests for a configuration file, allowing a MITM attacker to inject JavaScript into the Version field, resulting in a cross‑site scripting (XS...
CVE-2023-2910
CVE-2023-2910 affects ASUSTOR Data Master (ADM) Printer service. The root cause is improper neutralization of special elements used in a command (command injection) which enables remote, unauthenticated abuse to execute arbitrary commands. Affected ADM versions include 4.0.6.RIS1, 4.1.0 and below...
CVE-2018-12306
CVE-2018-12306 describes a directory traversal vulnerability in ASUSTOR ADM’s File Explorer (v3.1.1). An attacker can view arbitrary files by altering the URL parameter file1, indicating improper input handling in the file-path logic. The vulnerability is presented as analogous to CVE-2018-11344....
CVE-2018-12309
CVE-2018-12309 describes a directory traversal in ASUSTOR ADM 3.1.1, via upload.cgi, allowing an attacker to upload files to arbitrary locations by modifying the path URL parameter (the filename parameter is covered by CVE-2018-11345). NVD lists CVSS v3.0 base score 7.5 (HIGH) with network attack...
CVE-2018-12310
CVE-2018-12310 describes a cross-site scripting vulnerability in ASUSTOR ADM (login page, version 3.1.1) where an attacker can inject JavaScript through the System Announcement feature. Affected component: ASUSTOR ADM login flow. Underlying issue: stored/reflected XSS in the login surface (detail...
CVE-2018-12311
ASUSTOR ADM File Explorer (v3.1.1) is affected by a cross-site scripting vulnerability. When a file is moved using a malicious filename, an attacker can cause arbitrary JavaScript execution. The reports do not provide specific fixes or patch versions in the supplied documents.
CVE-2023-4475
ASUSTOR Data Master (ADM) is affected by an Arbitrary File Movement vulnerability via the file renaming feature. Affected: ADM 4.0.6.RIS1 and below, ADM 4.1.0 and below, ADM 4.2.2.RI61 and below. Root cause: exploitation of the file renaming mechanism to move files into unintended directories. Im...
CVE-2018-12308
ASUSTOR ADM 3.1.1 is affected by an information disclosure in share.cgi that allows an attacker to obtain the encryption key via the encrypt_key URL parameter. The root cause is a flaw in how share.cgi handles the key, enabling unauthorized access to the encryption key and potential compromise of...
CVE-2023-3698
The CVE-2023-3698 issue affects ASUSTOR ADM’s Printer service. The vulnerability is a input-validation/path traversal flaw in the Printer service that lets remote unauthorized users navigate beyond the intended directory structure and delete files. Affected ADM versions include 4.0.6.RIS1, 4.1.0 ...
CVE-2023-3699
CVE-2023-3699 affects ASUSTOR Data Master (ADM) on ASUSTOR NAS. The issue is an improper privilege management that allows an unprivileged local user to modify the storage devices configuration. Affected ADM versions: 4.0.6.RIS1 and below; 4.1.0 and below; 4.2.2.RI61 and below. Impact is the abili...
CVE-2018-12316
ASUSTOR ADM is affected by OS Command Injection in upload.cgi in version 3.1.1, where an attacker can modify the filename POST parameter to execute system commands. This is documented across multiple sources (NVD CVE-2018-12316, CNVD-2018-25181, OpenVAS entry) with a CVSS base score high (3.0: 8....
CVE-2026-6644
The CVE-2026-6644 entry describes a command-injection vulnerability in ADM PPTP VPN Clients that allows an administrative user to escape the restricted web environment and execute arbitrary OS commands, enabling Remote Code Execution and full system compromise. Affected are ADM versions 4.1.0–4.3...
CVE-2026-24932
The CVE-2026-24932 issue is an improper TLS/SSL certificate hostname validation in ADM’s DDNS update function. The vulnerability allows a remote attacker to perform a Man‑in‑the‑Middle (MitM) attack over HTTPS, potentially exposing sensitive DDNS updating data such as the user’s email, MD5‑hashed...
CVE-2026-3179
The CVE describes a Path Traversal in ASUSTOR ADM FTP Backup on Linux platforms (x86, ARM, 64‑bit). The vulnerability arises from improper limitation of a pathname to a restricted directory, enabling unauthorized access via the network. Affected ADM versions are 4.1.0 through 4.3.3.ROF1, and 5.0....
CVE-2026-3100
CVE-2026-3100 affects ASUSTOR ADM FTP Backup running on Linux/x86/ARM (64‑bit). The issue is improper certificate validation in ADM FTP Backup, enabling sniffing attacks over the network. Affected versions are ADM 4.1.0–4.3.3.ROF1 and 5.0.0–5.1.2.RE51. The CVSS base score is 8.3 (HIGH) with netwo...
CVE-2026-24933
CVE-2026-24933 describes an improper SSL/TLS certificate validation in the API communication component, allowing MITM interception of HTTPS traffic and exposure of sensitive user data (emails, MD5 hashes, device serial numbers). Affected software: ADM 4.1.0–4.3.3.ROF1 and ADM 5.0.0–5.1.1.RCI1. Ro...
CVE-2026-24934
CVE-2026-24934 describes an insecure DDNS WAN-IP lookup in ADM firmware. The DDNS function uses HTTP or fails to validate the SSL/TLS certificate when querying an external server for the device’s WAN IP, enabling an unauthenticated MitM attacker to spoof the response and cause the device to updat...
CVE-2026-6643
ASUSTOR ADM VPN clients (ADM 4.1.0–4.3.3.RR42 and 5.0.0–5.1.2.REO1) are affected by CVE-2026-6643 due to a stack-based buffer overflow caused by unbounded sscanf() and passing user-controlled data to printf() in vpnupload.cgi (upload_wireguard). The vulnerability can lead to code execution as the...
CVE-2025-13053
The CVE-2025-13053 issue affects ASUSTOR ADM NAS: vulnerable in versions 4.1.0–4.3.3.RKD2 and 5.0.0–5.1.0.RN42. Root cause is non-enforced TLS certificate verification when configuring NAS to retrieve UPS status or control the UPS, enabling a network MITM attack to intercept traffic and potential...
CVE-2025-13052
CVE-2025-13052 describes improper TLS/SSL certificate validation in ADM notifications when sending emails via msmtp, enabling potential MITM disclosure of SMTP data. Affected: ADM 4.1.0–4.3.3.RKD2 and 5.0.0–5.1.0.RN42. Root cause: TLS/SSL validation weakness between SMTP client and server. Impact...
CVE-2026-24935
CVE-2026-24935: A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server, enabling a MitM attacker to intercept or redirect the NAT tunnel establishment. This vulnerability could disrupt service availability or enable targeted attacks by ac...