cbcvebase.

Asustor Data Master vulnerabilities

37 known vulnerabilities affecting asustor/data_master.

Total CVEs
37
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH14MEDIUM17LOW2

Vulnerabilities

Page 1 of 2
CVE-2026-24936P2CRITICALCVSS 9.8≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.re512026-02-03
CVE-2026-24936 [CRITICAL] CWE-20 CVE-2026-24936: When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete
nvd
CVE-2026-6643P2CRITICALCVSS 9.9≥ 4.1.0.rhu2, < 4.3.3.RR42≥ 5.0.0.ra82, < 5.1.2.reo12026-04-20
CVE-2026-6643 [CRITICAL] CWE-121 CVE-2026-6643: A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affect
nvd
CVE-2018-12313P2CRITICALCVSS 9.8v3.1.12018-12-04
CVE-2018-12313 [CRITICAL] CWE-78 CVE-2018-12313: OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system com OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter.
nvd
CVE-2026-6644P2CRITICALCVSS 9.1≥ 4.1.0.rhu2, < 4.3.3.RR42≥ 5.0.0.ra82, < 5.1.2.reo12026-04-20
CVE-2026-6644 [CRITICAL] CWE-78 CVE-2026-6644: A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability al A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successfu
nvd
CVE-2023-2910P2HIGHCVSS 8.8≥ 4.0.0.rib4, ≤ 4.0.6.ris1≥ 4.1.0.rhu2, < 4.2.3.rk912023-08-17
CVE-2023-2910 [HIGH] CWE-77 CVE-2023-2910: Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2018-12317P2HIGHCVSS 8.8v3.1.12018-12-04
CVE-2018-12317 [HIGH] CWE-78 CVE-2018-12317: OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system co OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the "name" POST parameter.
nvd
CVE-2018-12307P2HIGHCVSS 8.8v3.1.12018-12-04
CVE-2018-12307 [HIGH] CWE-78 CVE-2018-12307: OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system com OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter.
nvd
CVE-2018-12312P2HIGHCVSS 8.8v3.1.12018-12-04
CVE-2018-12312 [HIGH] CWE-78 CVE-2018-12312: OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system com OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter.
nvd
CVE-2018-12316P2HIGHCVSS 8.8v3.1.12018-12-04
CVE-2018-12316 [HIGH] CWE-78 CVE-2018-12316: OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system c OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter.
nvd
CVE-2026-3179P3HIGHCVSS 8.1≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.reo12026-02-25
CVE-2026-3179 [HIGH] CWE-22 CVE-2026-3179: The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when par The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite
nvd
CVE-2023-3697P3HIGHCVSS 8.8≥ 4.0.0.rib4, ≤ 4.0.6.ris1≥ 4.1.0.rhu2, < 4.2.3.rk912023-08-17
CVE-2023-3697 [HIGH] CWE-22 CVE-2023-3697: Printer service fails to adequately handle user input, allowing an remote unauthorized users to navi Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2018-15694P3HIGHCVSS 7.5≤ 3.1.52018-08-27
CVE-2018-15694 [HIGH] CWE-22 CVE-2018-15694: ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload f ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. This could lead to code execution if the "Web Server" feature is enabled.
nvd
CVE-2023-3698P3HIGHCVSS 8.1≥ 4.0.0.rib4, ≤ 4.0.6.ris1≥ 4.1.0.rhu2, < 4.2.3.rk912023-08-17
CVE-2023-3698 [HIGH] CWE-22 CVE-2023-3698: Printer service fails to adequately handle user input, allowing an remote unauthorized users to navi Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2018-12314P3HIGHCVSS 7.5v3.1.12018-12-04
CVE-2018-12314 [HIGH] CWE-22 CVE-2018-12314: Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to downlo Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the "file" and "folder" URL parameters.
nvd
CVE-2018-12306P3HIGHCVSS 7.5v3.1.12018-12-04
CVE-2018-12306 [HIGH] CVE-2018-12306: Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the "file1" URL parameter, a similar issue to CVE-2018-11344.
nvd
CVE-2026-3100P3MEDIUMCVSS 6.5≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.reo12026-02-25
CVE-2026-3100 [MEDIUM] CWE-295 CVE-2026-3100: The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while conn The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such a
nvd
CVE-2018-12309P3HIGHCVSS 7.5v3.1.12018-12-04
CVE-2018-12309 [HIGH] CVE-2018-12309: Directory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to upload files to a Directory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to upload files to arbitrary locations by modifying the "path" URL parameter. NOTE: the "filename" POST parameter is covered by CVE-2018-11345.
nvd
CVE-2018-12318P3HIGHCVSS 8.8v3.1.12018-12-04
CVE-2018-12318 [HIGH] CWE-200 CVE-2018-12318: Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to ob Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext.
nvd
CVE-2026-24933P3MEDIUMCVSS 5.9≥ 4.1.0.rhu2, ≤ 4.3.3.rof1≥ 5.0.0.ra82, < 5.1.2.re512026-02-03
CVE-2026-24933 [MEDIUM] CWE-295 CVE-2026-24933: The API communication component fails to validate the SSL/TLS certificate when sending HTTPS request The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user
nvd
CVE-2018-15695P3MEDIUMCVSS 6.5≤ 3.1.52018-08-27
CVE-2018-15695 [MEDIUM] CWE-22 CVE-2018-15695: ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete a ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi.
nvd
Asustor Data Master vulnerabilities | cvebase