Haqur

**Name of the Vulnerable Software and Affected Versions** ASUSTOR ADM version 3.1.0.RFQ3 **Description** The photo gallery application in ASUSTOR ADM contains a SQL injection issue in the tree list functionality. This issue affects the `album id` or `scope` parameter via the "photo-gallery/api/album/tree lists/" URI. **Recommendations** For ASUSTOR ADM version 3.1.0.RFQ3, avoid using the `album id` or `scope` parameter in the affected API endpoint until the issue is resolved. Restrict access to the "photo-gallery/api/album/tree lists/" URI to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASUSTOR ADM version 3.1.0.RFQ3 **Description** The issue is related to an unauthenticated remote code execution in the "portal/apis/aggrecate js.cgi" API endpoint. This is achieved by embedding OS commands in the `script` parameter. **Recommendations** For ASUSTOR ADM version 3.1.0.RFQ3, as a temporary workaround, consider restricting access to the "portal/apis/aggrecate js.cgi" API endpoint until a patch is available. Avoid using the `script` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.