Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

ASUSTOR Data Master

Source -

CNA

CNA CVEs -

6

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found
CVE-2018-15694
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-7.5||HIGH
EPSS-2.12% / 83.42%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 14:00
Updated-16 Sep, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a path traversal vulnerability. This could lead to code execution if the "Web Server" feature is enabled.

Action-Not Available
Vendor-ASUSTOR Inc.Tenable, Inc.
Product-data_masterASUSTOR Data Master
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-15695
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.49% / 64.47%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 14:00
Updated-16 Sep, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a path traversal vulnerability in wallpaper.cgi.

Action-Not Available
Vendor-ASUSTOR Inc.Tenable, Inc.
Product-data_masterASUSTOR Data Master
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-15696
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 53.57%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 14:00
Updated-16 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi.

Action-Not Available
Vendor-ASUSTOR Inc.Tenable, Inc.
Product-data_masterASUSTOR Data Master
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2018-15697
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 61.34%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 14:00
Updated-16 Sep, 2024 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full path. For example, /home/admin/.ash_history.

Action-Not Available
Vendor-ASUSTOR Inc.Tenable, Inc.
Product-data_masterASUSTOR Data Master
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2018-15698
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.73% / 71.84%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 14:00
Updated-17 Sep, 2024 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing the full path to loginimage.cgi.

Action-Not Available
Vendor-ASUSTOR Inc.Tenable, Inc.
Product-data_masterASUSTOR Data Master
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2018-15699
Assigner-Tenable Network Security, Inc.
ShareView Details
Assigner-Tenable Network Security, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.16%
||
7 Day CHG~0.00%
Published-27 Aug, 2018 | 14:00
Updated-17 Sep, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take advantage of this by inserting Javascript into the configuration files Version field.

Action-Not Available
Vendor-ASUSTOR Inc.Tenable, Inc.
Product-data_masterASUSTOR Data Master
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')