Vulnerabilities > Asustor > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-31 | CVE-2023-2909 | Path Traversal vulnerability in Asustor ADM EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. | 10.0 |
| 2023-04-17 | CVE-2023-30770 | Out-of-bounds Write vulnerability in Asustor ADM A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. | 9.8 |
| 2018-12-04 | CVE-2018-12313 | OS Command Injection vulnerability in Asustor Data Master 3.1.1 OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter. | 9.8 |
| 2018-08-16 | CVE-2018-11511 | SQL Injection vulnerability in Asustor Data Master 3.1.0 The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI. | 9.8 |
| 2018-08-16 | CVE-2018-11509 | Use of Hard-coded Credentials vulnerability in Asustor Data Master 3.1.0 ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. | 9.8 |
| 2018-06-28 | CVE-2018-11510 | OS Command Injection vulnerability in Asustor ADM The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter. | 9.8 |