ASUSTOR Data Master < 3.1.6 Multiple Vulnerabilities

medium Nessus Plugin ID 112115

Language:

Synopsis

A web interface for ASUSTOR NAS devices running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the ASUSTOR Data Master (ADM) web interface running on the remote web server is prior to 3.1.6. It is, therefore, affected by multiple vulnerabilities:

 - CVE-2018-15694: Authenticated File Upload

 - CVE-2018-15695: Authenticated Arbitrary File Deletion

 - CVE-2018-15696: Authenticated Account Enumeration

 - CVE-2018-15697: Authenticated File Disclosure

 - CVE-2018-15698: Authenticated File Disclosure

 - CVE-2018-15699: MITM XSS

Solution

Upgrade to ASUSTOR Data Master (ADM) version 3.1.6 or later.

See Also

https://www.tenable.com/security/research/tra-2018-22

http://www.nessus.org/u?6f7da7ef

Plugin Details

Severity: Medium

ID: 112115

File Name: asustor_data_master_3_1_6.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 8/24/2018

Updated: 11/4/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2018-15695

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:asustor:data_master

Required KB Items: installed_sw/ASUSTOR Data Master

Exploit Ease: No known exploits are available

Patch Publication Date: 8/15/2018

Vulnerability Publication Date: 8/24/2018

Reference Information

CVE: CVE-2018-15694, CVE-2018-15695, CVE-2018-15696, CVE-2018-15697, CVE-2018-15698, CVE-2018-15699