ASUSTOR Data Master < 3.1.6 Multiple Vulnerabilities
medium Nessus Plugin ID 112115
Language:
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
A web interface for ASUSTOR NAS devices running on the remote web server is affected by multiple vulnerabilities.Description
According to its self-reported version number, the ASUSTOR Data Master (ADM) web interface running on the remote web server is prior to 3.1.6. It is, therefore, affected by multiple vulnerabilities:- CVE-2018-15694: Authenticated File Upload
- CVE-2018-15695: Authenticated Arbitrary File Deletion
- CVE-2018-15696: Authenticated Account Enumeration
- CVE-2018-15697: Authenticated File Disclosure
- CVE-2018-15698: Authenticated File Disclosure
- CVE-2018-15699: MITM XSS
Solution
Upgrade to ASUSTOR Data Master (ADM) version 3.1.6 or later.See Also
Plugin Details
Severity: Medium
ID: 112115
File Name: asustor_data_master_3_1_6.nasl
Version: 1.3
Type: remote
Family: CGI abuses
Published: 8/24/2018
Updated: 11/4/2019
Dependencies: asustor_data_master_detect.nbin
Risk Information
CVSS Score Source: CVE-2018-15695
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 8.5
Temporal Score: 6.3
Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C
Temporal Vector: E:U/RL:OF/RC:C
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Temporal Vector: E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:asustor:data_master
Required KB Items: installed_sw/ASUSTOR Data Master
Exploit Ease: No known exploits are available
Patch Publication Date: 8/15/2018
Vulnerability Publication Date: 8/24/2018
Reference Information
CVE: CVE-2018-15694, CVE-2018-15695, CVE-2018-15696, CVE-2018-15697, CVE-2018-15698, CVE-2018-15699
TRA: TRA-2018-22