Matthew Fulton

**Name of the Vulnerable Software and Affected Versions** ASUSTOR ADM version 3.1.0.RFQ3 **Description** The issue allows an attacker to login using the default root:admin username and password, which is the same as the one used for the NAS itself for applications installed from the online repository. This may enable an attacker to upload a webshell. **Recommendations** For ASUSTOR ADM version 3.1.0.RFQ3, change the default root:admin username and password to unique and strong credentials to prevent unauthorized access. Consider restricting access to the administrative interface until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR ADM version 3.1.0.RFQ3 **Description** The photo gallery application in ASUSTOR ADM contains a SQL injection issue in the tree list functionality. This issue affects the `album id` or `scope` parameter via the "photo-gallery/api/album/tree lists/" URI. **Recommendations** For ASUSTOR ADM version 3.1.0.RFQ3, avoid using the `album id` or `scope` parameter in the affected API endpoint until the issue is resolved. Restrict access to the "photo-gallery/api/album/tree lists/" URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR ADM version 3.1.0.RFQ3 **Description** The issue is related to an unauthenticated remote code execution in the "portal/apis/aggrecate js.cgi" API endpoint. This is achieved by embedding OS commands in the `script` parameter. **Recommendations** For ASUSTOR ADM version 3.1.0.RFQ3, as a temporary workaround, consider restricting access to the "portal/apis/aggrecate js.cgi" API endpoint until a patch is available. Avoid using the `script` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR AS6202T ADM version 3.1.0.RFQ3 **Description** A path traversal issue exists, allowing attackers to specify any file on the system for download using the `file1` parameter in the "download.cgi" endpoint. **Recommendations** For ASUSTOR AS6202T ADM version 3.1.0.RFQ3, consider restricting access to the `download.cgi` endpoint until a patch is available. As a temporary workaround, avoid using the `file1` parameter in the download.cgi endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR AS6202T ADM version 3.1.0.RFQ3 **Description** The issue allows attackers to navigate the file system via the `filename` parameter in the importuser.cgi. This is a directory traversal issue. **Recommendations** For ASUSTOR AS6202T ADM version 3.1.0.RFQ3, avoid using the `filename` parameter in the importuser.cgi until the issue is resolved. Restrict access to the importuser.cgi to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR AS6202T ADM version 3.1.0.RFQ3 **Description** The issue allows for an insecure direct object reference, enabling access to arbitrary files throughout the system. This is achieved by referencing the "download sys settings" action and specifying files via the `act` parameter in the "download.cgi" endpoint. **Recommendations** For ASUSTOR AS6202T ADM version 3.1.0.RFQ3, consider restricting access to the "download.cgi" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `act` parameter in the "download.cgi" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR AS6202T ADM version 3.1.0.RFQ3 **Description** A path traversal issue in the fileExplorer.cgi component allows attackers to specify arbitrary paths to system files, enabling them to create folders using the `dest folder` parameter. **Recommendations** For ASUSTOR AS6202T ADM version 3.1.0.RFQ3, avoid using the `dest folder` parameter in the fileExplorer.cgi component until a fix is available. Consider restricting access to the fileExplorer.cgi to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR SoundsGood (affected versions not specified) **Description** A persistent cross-site scripting issue in the playlistmanger.cgi component of the ASUSTOR SoundsGood application allows attackers to store cross-site scripting payloads via the `playlist` parameter in POST requests. **Recommendations** For the affected version, consider restricting access to the `playlistmanger.cgi` component until a patch is available. As a temporary workaround, avoid using the `playlist` parameter in POST requests to the vulnerable endpoint.