Vulnerabilites related to asustor - adm
CVE-2018-11510 (GCVE-0-2018-11510)
Vulnerability from cvelistv5
Published
2018-06-28 14:00
Modified
2024-08-05 08:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/45200/ | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/45212/ | exploit, x_refsource_EXPLOIT-DB | |
| https://github.com/mefulton/CVE-2018-11510 | x_refsource_MISC | |
| https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:10:14.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "45200",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/45200/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html"
},
{
"name": "45212",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/45212/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mefulton/CVE-2018-11510"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the \u0027script\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "45200",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/45200/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html"
},
{
"name": "45212",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/45212/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mefulton/CVE-2018-11510"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-11510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the \u0027script\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "45200",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/45200/"
},
{
"name": "http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html"
},
{
"name": "45212",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/45212/"
},
{
"name": "https://github.com/mefulton/CVE-2018-11510",
"refsource": "MISC",
"url": "https://github.com/mefulton/CVE-2018-11510"
},
{
"name": "https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py",
"refsource": "MISC",
"url": "https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-11510",
"datePublished": "2018-06-28T14:00:00",
"dateReserved": "2018-05-28T00:00:00",
"dateUpdated": "2024-08-05T08:10:14.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4475 (GCVE-0-2023-4475)
Vulnerability from cvelistv5
Published
2023-08-22 09:02
Modified
2024-10-02 20:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Summary
An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=30 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=30"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T20:00:13.355436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T20:02:50.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "File Explorer",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI61",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "St\u00e9phane Chauveau (stephane@chauveau-central.net)"
}
],
"datePublic": "2023-08-30T07:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\u003cbr\u003e"
}
],
"value": "An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-22T09:02:30.376Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=30"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "An Arbitrary File Movement vulnerability was found on the ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-4475",
"datePublished": "2023-08-22T09:02:30.376Z",
"dateReserved": "2023-08-22T07:08:47.286Z",
"dateUpdated": "2024-10-02T20:02:50.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30770 (GCVE-0-2023-30770)
Vulnerability from cvelistv5
Published
2023-04-17 06:32
Modified
2025-02-05 21:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Out-of-bounds Write
Summary
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=21 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=21"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T21:22:15.725391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T21:22:25.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"64 bit",
"ARM"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.REG2",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.0.RE71",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LinYu, Li from Institute of Information Engineering, Chinese Academy of Sciences"
}
],
"datePublic": "2023-04-17T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below."
}
],
"value": "A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-04T04:03:35.683Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=21"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update ADM to the latest version for fixing the issue."
}
],
"value": "Update ADM to the latest version for fixing the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A stack-based buffer overflow vulnerability was found in the ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-30770",
"datePublished": "2023-04-17T06:32:05.965Z",
"dateReserved": "2023-04-14T18:41:42.637Z",
"dateUpdated": "2025-02-05T21:22:25.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2509 (GCVE-0-2023-2509)
Vulnerability from cvelistv5
Published
2023-05-17 06:33
Modified
2025-01-22 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=22 | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:08.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T16:51:21.778917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T16:51:46.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Web Center",
"platforms": [
"Linux",
"x86",
"64 bit",
"ARM"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.REG2",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.1.RGE2",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "LooksGood",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "2.0.0.R129",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "SoundsGood",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "2.3.0.r1027",
"status": "affected",
"version": "2.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Zhiyong Xing, Inner Mongolia Xinyuan Network Security Technology Co., Ltd., China"
}
],
"datePublic": "2023-06-06T07:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below."
}
],
"value": "A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T01:34:00.464Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Cross-Site Scripting(XSS) vulnerability was found on ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-2509",
"datePublished": "2023-05-17T06:33:37.536Z",
"dateReserved": "2023-05-04T03:31:16.029Z",
"dateUpdated": "2025-01-22T16:51:46.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2749 (GCVE-0-2023-2749)
Vulnerability from cvelistv5
Published
2023-05-31 08:36
Modified
2025-01-09 21:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions. Download Center on ADM 4.0 and above will be affected. Affected products and versions include: Download Center 1.1.5.r1280 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=24 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ASUSTOR | Download Center |
Version: 1.1.5 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=24"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:01:53.722872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:02:15.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "Download Center",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "1.1.5.r1280",
"status": "affected",
"version": "1.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Zhiyong Xing, Inner Mongolia Xinyuan Network Security Technology Co., Ltd., China"
}
],
"datePublic": "2023-06-01T02:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions. Download Center on ADM 4.0 and above will be affected. Affected products and versions include: Download Center 1.1.5.r1280 and below. "
}
],
"value": "Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions. Download Center on ADM 4.0 and above will be affected. Affected products and versions include: Download Center 1.1.5.r1280 and below. "
}
],
"impacts": [
{
"capecId": "CAPEC-410",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-410 Information Elicitation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-31T08:36:37.182Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=24"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A Gain Information vulnerability was found on Download Center.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-2749",
"datePublished": "2023-05-31T08:36:37.182Z",
"dateReserved": "2023-05-17T05:56:36.390Z",
"dateUpdated": "2025-01-09T21:02:15.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7699 (GCVE-0-2025-7699)
Vulnerability from cvelistv5
Published
2025-07-16 09:41
Modified
2025-07-16 14:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=46 | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T14:29:12.986169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:39:53.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EZ Sync Manager",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.3.3.RH61",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0.0.RIN1",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Engin Aydo\u011fan"
}
],
"datePublic": "2025-07-16T09:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data.\nAffected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier."
}
],
"value": "An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data.\nAffected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T09:41:12.220Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=46"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "An improper access control vulnerability was found in the EZ Sync Manager of ADM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2025-7699",
"datePublished": "2025-07-16T09:41:12.220Z",
"dateReserved": "2025-07-16T03:13:18.895Z",
"dateUpdated": "2025-07-16T14:39:53.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7618 (GCVE-0-2025-7618)
Vulnerability from cvelistv5
Published
2025-07-14 10:15
Modified
2025-07-14 13:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=45 | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T13:36:02.836504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T13:36:07.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "File Explorer",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.3.3.RH61",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0.0.RIN1",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"packageName": "Text Editor",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "1.0.0.r112",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Engin Aydo\u011fan"
}
],
"datePublic": "2025-07-14T10:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications.\u003cbr\u003eAffected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier."
}
],
"value": "A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications.\nAffected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T10:19:46.737Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=45"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A stored Cross-Site Scripting (XSS) vulnerability exists in the File Explorer and Text Editor of ADM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2025-7618",
"datePublished": "2025-07-14T10:15:10.892Z",
"dateReserved": "2025-07-14T01:44:55.433Z",
"dateUpdated": "2025-07-14T13:36:07.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7378 (GCVE-0-2025-7378)
Vulnerability from cvelistv5
Published
2025-07-09 07:06
Modified
2025-07-09 13:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior.
This issue affects ADM: from 4.1 before 4.3.1.R5A1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=41 | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T13:50:25.186642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T13:54:52.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThan": "4.3.1.R5A1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-09T07:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior.\u003cbr\u003eThis issue affects ADM: from 4.1 before 4.3.1.R5A1."
}
],
"value": "An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior.\nThis issue affects ADM: from 4.1 before 4.3.1.R5A1."
}
],
"impacts": [
{
"capecId": "CAPEC-75",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-75 Manipulating Writeable Configuration Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/R:U/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T08:43:51.598Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=41"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "An improper input validation vulnerability was found on manipulating configuration of ADM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2025-7378",
"datePublished": "2025-07-09T07:06:08.150Z",
"dateReserved": "2025-07-09T06:11:51.237Z",
"dateUpdated": "2025-07-09T13:54:52.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3697 (GCVE-0-2023-3697)
Vulnerability from cvelistv5
Published
2023-08-17 09:33
Modified
2024-10-08 17:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=28 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=28"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm",
"vendor": "asustor",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI61",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T17:25:13.411160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:27:28.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "Printer Service",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI61",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security"
}
],
"datePublic": "2023-08-30T07:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\u003cbr\u003e"
}
],
"value": "Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-17T09:33:46.822Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=28"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A Command injection vulnerability was found on Printer service of ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-3697",
"datePublished": "2023-08-17T09:33:46.822Z",
"dateReserved": "2023-07-17T06:12:19.306Z",
"dateUpdated": "2024-10-08T17:27:28.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3699 (GCVE-0-2023-3699)
Vulnerability from cvelistv5
Published
2023-08-22 08:57
Modified
2024-10-02 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=29 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=29"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T20:08:25.950632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T20:09:53.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI61",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "St\u00e9phane Chauveau (stephane@chauveau-central.net)"
}
],
"datePublic": "2023-08-30T07:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\u003cbr\u003e"
}
],
"value": "An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configuration. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-22T08:57:21.718Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=29"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "An Improper Privilege Management vulnerability was found on the ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-3699",
"datePublished": "2023-08-22T08:57:21.718Z",
"dateReserved": "2023-07-17T06:12:32.684Z",
"dateUpdated": "2024-10-02T20:09:53.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2910 (GCVE-0-2023-2910)
Vulnerability from cvelistv5
Published
2023-08-17 09:25
Modified
2024-10-08 17:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=27 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=27"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm",
"vendor": "asustor",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI6",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T17:28:39.517947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:30:14.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "Printer Service",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI61",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security"
}
],
"datePublic": "2023-08-30T07:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of special elements used in a command (\u0027Command Injection\u0027) vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\u003cbr\u003e"
}
],
"value": "Improper neutralization of special elements used in a command (\u0027Command Injection\u0027) vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-17T09:25:43.344Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=27"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A Command injection vulnerability was found on Printer service of ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-2910",
"datePublished": "2023-08-17T09:25:43.344Z",
"dateReserved": "2023-05-26T09:43:54.979Z",
"dateUpdated": "2024-10-08T17:30:14.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7379 (GCVE-0-2025-7379)
Vulnerability from cvelistv5
Published
2025-07-09 08:31
Modified
2025-07-09 13:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=42 | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T13:39:51.380803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T13:41:06.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "DataSync Center",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThan": "1.1.0.r207",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "1.2.0.r206",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-07-09T08:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206."
}
],
"value": "A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206."
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T08:41:09.663Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=42"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A security bypass vulnerability was found in DataSync Center installed on ADM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2025-7379",
"datePublished": "2025-07-09T08:31:02.925Z",
"dateReserved": "2025-07-09T06:11:58.712Z",
"dateUpdated": "2025-07-09T13:41:06.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3698 (GCVE-0-2023-3698)
Vulnerability from cvelistv5
Published
2023-08-17 09:34
Modified
2024-10-08 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=28 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=28"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T17:23:40.230393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:23:46.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "Printer Service",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.RIS1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.2.RI61",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security"
}
],
"datePublic": "2023-08-30T07:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\u003cbr\u003e"
}
],
"value": "Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-17T09:34:53.301Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=28"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A Command injection vulnerability was found on Printer service of ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-3698",
"datePublished": "2023-08-17T09:34:53.301Z",
"dateReserved": "2023-07-17T06:12:27.375Z",
"dateUpdated": "2024-10-08T17:23:46.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37398 (GCVE-0-2022-37398)
Vulnerability from cvelistv5
Published
2022-08-05 16:46
Modified
2024-09-17 02:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=12 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "3.5.9.RUE3",
"status": "affected",
"version": "3.5",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.0.5.RVI1",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RJD1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Nikita Abramov (Positive Technologies)"
}
],
"datePublic": "2022-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-05T16:46:19",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=12"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A stack-based buffer overflow vulnerability was found on ADM",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@asustor.com",
"DATE_PUBLIC": "2022-08-18T03:00:00.000Z",
"ID": "CVE-2022-37398",
"STATE": "PUBLIC",
"TITLE": "A stack-based buffer overflow vulnerability was found on ADM"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ADM",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.5",
"version_value": "3.5.9.RUE3"
},
{
"version_affected": "\u003c=",
"version_name": "4.0",
"version_value": "4.0.5.RVI1"
},
{
"version_affected": "\u003c=",
"version_name": "4.1",
"version_value": "4.1.0.RJD1"
}
]
}
}
]
},
"vendor_name": "ASUSTOR"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Nikita Abramov (Positive Technologies)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.asustor.com/security/security_advisory_detail?id=12",
"refsource": "MISC",
"url": "https://www.asustor.com/security/security_advisory_detail?id=12"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2022-37398",
"datePublished": "2022-08-05T16:46:19.585398Z",
"dateReserved": "2022-08-04T00:00:00",
"dateUpdated": "2024-09-17T02:42:12.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7380 (GCVE-0-2025-7380)
Vulnerability from cvelistv5
Published
2025-07-14 05:39
Modified
2025-07-14 13:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user's session, potentially accessing session cookies or other sensitive data.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=44 | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T13:17:00.709054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T13:17:13.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Access Control",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.3.3.RH61",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0.0.RIN1",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Engin Aydo\u011fan"
}
],
"datePublic": "2025-07-14T05:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user\u0027s session, potentially accessing session cookies or other sensitive data.\u003cbr\u003eAffected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier."
}
],
"value": "A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user\u0027s session, potentially accessing session cookies or other sensitive data.\nAffected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T08:26:03.411Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=44"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2025-7380",
"datePublished": "2025-07-14T05:39:07.731Z",
"dateReserved": "2025-07-09T06:12:02.702Z",
"dateUpdated": "2025-07-14T13:17:13.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2909 (GCVE-0-2023-2909)
Vulnerability from cvelistv5
Published
2023-05-31 09:26
Modified
2025-01-09 21:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=25 | vendor-advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.009Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=25"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T20:58:22.645386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:01:20.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "EZ Sync",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.REG2",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.1.RGE2",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "JuYang.Gao (chumen77) from Dbappsecurity Co.,Ltd"
}
],
"datePublic": "2023-06-06T07:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below."
}
],
"value": "EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T08:08:19.073Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=25"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A Directory traversal vulnerability was found on EZ Sync service of ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-2909",
"datePublished": "2023-05-31T09:26:31.581Z",
"dateReserved": "2023-05-26T09:43:49.971Z",
"dateUpdated": "2025-01-09T21:01:20.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-05-17 07:15
Modified
2024-11-21 07:58
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E263E01C-BF3F-4107-989E-8EE195511DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.0.6:reg2:*:*:*:*:*:*",
"matchCriteriaId": "CD67EA77-03E9-435C-B1AF-C6EEEB69E55F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0284FF36-321E-471E-A1E9-58A36E7A8039",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.1.0:rlq1:*:*:*:*:*:*",
"matchCriteriaId": "C6FBB975-F3A3-41C6-822A-AF32997422F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.2.1:-:*:*:*:*:*:*",
"matchCriteriaId": "4E95A07A-CA6B-4E79-BF1A-F1A3A97D1C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.2.1:rge2:*:*:*:*:*:*",
"matchCriteriaId": "62B4CDB5-AF06-40D1-A243-7577BAF3D001",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:looksgood:2.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B03279A2-073F-463B-86FA-2BC862F94227",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:looksgood:2.0.0:r129:*:*:*:*:*:*",
"matchCriteriaId": "D64E2127-EB5B-450A-A4A0-0967CAC153C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:soundsgood:2.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "6311BD0B-3160-4C44-A837-414885F6EABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:soundsgood:2.3.0:r1027:*:*:*:*:*:*",
"matchCriteriaId": "B0CE69E6-949C-4A8D-B54C-03398447D012",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below."
}
],
"id": "CVE-2023-2509",
"lastModified": "2024-11-21T07:58:44.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.5,
"source": "security@asustor.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-17T07:15:08.567",
"references": [
{
"source": "security@asustor.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
}
],
"sourceIdentifier": "security@asustor.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@asustor.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-28 14:29
Modified
2024-11-21 03:43
Severity ?
Summary
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B849FC11-67D3-4384-8346-B6F671869EEF",
"versionEndIncluding": "3.1.2.rhg1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the \u0027script\u0027 parameter."
},
{
"lang": "es",
"value": "El portal NAS de ASUSTOR ADM 3.1.0.RFQ3 sufre de una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo no autenticada en el archivo portal/apis/aggrecate_js.cgi embebiendo comandos del sistema operativo en el par\u00e1metro \"script\"."
}
],
"id": "CVE-2018-11510",
"lastModified": "2024-11-21T03:43:31.233",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-28T14:29:00.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mefulton/CVE-2018-11510"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45200/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45212/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mefulton/CVE-2018-11510"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mefulton/CVE-2018-11510/blob/master/admex.py"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45200/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45212/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-17 07:15
Modified
2024-11-21 08:00
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "405FA5F6-2C64-4ED6-ABB6-F2A20C3E3BFA",
"versionEndIncluding": "4.0.6.reg2",
"versionStartIncluding": "4.0.0.rib4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D979C00B-026E-4EAF-8197-B1E689CFEC7F",
"versionEndExcluding": "4.2.1.rge2",
"versionStartIncluding": "4.1.0.rhu2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below."
}
],
"id": "CVE-2023-30770",
"lastModified": "2024-11-21T08:00:52.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.5,
"source": "security@asustor.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-17T07:15:08.300",
"references": [
{
"source": "security@asustor.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=21"
}
],
"sourceIdentifier": "security@asustor.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security@asustor.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-31 09:15
Modified
2024-11-21 07:59
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions. Download Center on ADM 4.0 and above will be affected. Affected products and versions include: Download Center 1.1.5.r1280 and below.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:download_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "503AD2F7-FD3C-4BFE-976A-B10AEB7B02B1",
"versionEndExcluding": "1.1.5.r1298",
"versionStartIncluding": "1.1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "63289DB6-E94A-4542-A9EA-1E560CCC9D30",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "44D051A3-DC4D-404C-9D4B-31461265BA6C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensitive files or directories without appropriate permission restrictions. Download Center on ADM 4.0 and above will be affected. Affected products and versions include: Download Center 1.1.5.r1280 and below. "
},
{
"lang": "es",
"value": "Download Center no valida correctamente la ruta de archivo enviada por un usuario. Un atacante puede aprovechar esta vulnerabilidad para obtener acceso no autorizado a archivos o directorios confidenciales sin las restricciones de permisos adecuadas. Download Center se ve afectado en ADM 4.0 y en versiones superiores. Los productos y versiones afectados incluyen: Download Center v1.1.5.r1280 e inferiores. "
}
],
"id": "CVE-2023-2749",
"lastModified": "2024-11-21T07:59:13.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security@asustor.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-31T09:15:10.490",
"references": [
{
"source": "security@asustor.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=24"
}
],
"sourceIdentifier": "security@asustor.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@asustor.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-31 10:15
Modified
2024-11-21 07:59
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1E548E7-6905-4F55-A71A-50EC37223D6A",
"versionEndIncluding": "4.0.6.reg2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DCF070D-E211-47B4-9BB4-1623173DF027",
"versionEndIncluding": "4.1.0rlq1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A584E04F-E349-4F7C-86B4-093271659313",
"versionEndIncluding": "4.2.1.rge2",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below."
}
],
"id": "CVE-2023-2909",
"lastModified": "2024-11-21T07:59:32.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@asustor.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-31T10:15:09.577",
"references": [
{
"source": "security@asustor.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=25"
}
],
"sourceIdentifier": "security@asustor.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@asustor.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-05 17:15
Modified
2024-11-21 07:14
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "792CC2E3-7FC2-428E-AA55-92D093D97DB4",
"versionEndIncluding": "3.5.9.rue3",
"versionStartIncluding": "3.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6521DF3B-B73C-4345-BE19-1C7F8B9E283C",
"versionEndIncluding": "4.0.5.rvi1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6CD1D147-FB0B-4A4D-A483-FCD74D47DB27",
"versionEndIncluding": "4.1.0.rjd1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad de desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria dentro de ADM cuando usa WebDAV debido a una falta de validaci\u00f3n del tama\u00f1o de los datos. Un atacante puede explotar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario. Las versiones de ADM afectadas son: 3.5.9.RUE3 y anteriores, 4.0.5.RVI1 y anteriores, as\u00ed como 4.1.0.RJD1 y anteriores"
}
],
"id": "CVE-2022-37398",
"lastModified": "2024-11-21T07:14:55.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.5,
"source": "security@asustor.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-05T17:15:08.997",
"references": [
{
"source": "security@asustor.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=12"
}
],
"sourceIdentifier": "security@asustor.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "security@asustor.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}