Detections
Analytics

ASUSTOR Data Master < 3.1.6 Multiple Vulnerabilities

high Nessus Plugin ID 112115

Language:

Synopsis

A web interface for ASUSTOR NAS devices running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the ASUSTOR Data Master (ADM) web interface running on the remote web server is prior to 3.1.6. It is, therefore, affected by multiple vulnerabilities:

 - CVE-2018-15694: Authenticated File Upload

 - CVE-2018-15695: Authenticated Arbitrary File Deletion

 - CVE-2018-15696: Authenticated Account Enumeration

 - CVE-2018-15697: Authenticated File Disclosure

 - CVE-2018-15698: Authenticated File Disclosure

 - CVE-2018-15699: MITM XSS

Solution

Upgrade to ASUSTOR Data Master (ADM) version 3.1.6 or later.

See Also

https://www.tenable.com/security/research/tra-2018-22

http://www.nessus.org/u?6f7da7ef

Plugin Details

Severity: High

ID: 112115

File Name: asustor_data_master_3_1_6.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 8/24/2018

Updated: 8/14/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS Score Source: CVE-2018-15695

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2018-15694

Vulnerability Information

CPE: cpe:/a:asustor:data_master

Required KB Items: installed_sw/ASUSTOR Data Master

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/15/2018

Vulnerability Publication Date: 8/24/2018

Reference Information

CVE: CVE-2018-15694, CVE-2018-15695, CVE-2018-15696, CVE-2018-15697, CVE-2018-15698, CVE-2018-15699