Filtered by vendor Asustor
Subscribe
Total
34 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-12314 | 1 Asustor | 2 As602t, Data Master | 2018-12-21 | 7.8 HIGH | 7.5 HIGH |
| Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the "file" and "folder" URL parameters. | |||||
| CVE-2018-12316 | 1 Asustor | 2 As602t, Data Master | 2018-12-21 | 9.0 HIGH | 8.8 HIGH |
| OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter. | |||||
| CVE-2018-12307 | 1 Asustor | 2 As602t, Data Master | 2018-12-20 | 9.0 HIGH | 8.8 HIGH |
| OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter. | |||||
| CVE-2018-12310 | 1 Asustor | 2 As602t, Data Master | 2018-12-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement feature. | |||||
| CVE-2018-12311 | 1 Asustor | 2 As602t, Data Master | 2018-12-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename. | |||||
| CVE-2018-12312 | 1 Asustor | 2 As602t, Data Master | 2018-12-20 | 9.0 HIGH | 8.8 HIGH |
| OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter. | |||||
| CVE-2018-12305 | 1 Asustor | 1 Data Master | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with embedded JavaScript. | |||||
| CVE-2018-15694 | 1 Asustor | 1 Data Master | 2018-10-30 | 6.0 MEDIUM | 7.5 HIGH |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. This could lead to code execution if the "Web Server" feature is enabled. | |||||
| CVE-2018-15697 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history. | |||||
| CVE-2018-15699 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field. | |||||
| CVE-2018-15696 | 1 Asustor | 1 Data Master | 2018-10-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi. | |||||
| CVE-2018-15698 | 1 Asustor | 1 Data Master | 2018-10-30 | 6.8 MEDIUM | 6.5 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi. | |||||
| CVE-2018-15695 | 1 Asustor | 1 Data Master | 2018-10-30 | 8.5 HIGH | 6.5 MEDIUM |
| ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi. | |||||
| CVE-2018-11511 | 1 Asustor | 1 Asustor Data Master | 2018-10-19 | 7.5 HIGH | 9.8 CRITICAL |
| The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI. | |||||