Vulnerabilites related to asustor - soundsgood
Vulnerability from fkie_nvd
Published
2018-05-22 01:29
Modified
2024-11-21 03:43
Severity ?
Summary
A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2018/May/2 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/mefulton/asustorexploit | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2018/May/2 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mefulton/asustorexploit | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| asustor | soundsgood | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:soundsgood:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D90456E-A9E1-4413-97E8-A5B78B6F29F6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the \u0027playlist\u0027 POST parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) persistente en playlistmanger.cgi en la aplicaci\u00f3n ASUSTOR SoundsGood permite que los atacantes almacenen cargas \u00fatiles de Cross-Site Scripting (XSS) mediante el par\u00e1metro POST \"playlist\"."
}
],
"id": "CVE-2018-11343",
"lastModified": "2024-11-21T03:43:10.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-22T01:29:00.683",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2018/May/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mefulton/asustorexploit"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2018/May/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mefulton/asustorexploit"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-17 07:15
Modified
2024-11-21 07:58
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asustor:adm:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E263E01C-BF3F-4107-989E-8EE195511DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.0.6:reg2:*:*:*:*:*:*",
"matchCriteriaId": "CD67EA77-03E9-435C-B1AF-C6EEEB69E55F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "0284FF36-321E-471E-A1E9-58A36E7A8039",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.1.0:rlq1:*:*:*:*:*:*",
"matchCriteriaId": "C6FBB975-F3A3-41C6-822A-AF32997422F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.2.1:-:*:*:*:*:*:*",
"matchCriteriaId": "4E95A07A-CA6B-4E79-BF1A-F1A3A97D1C9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:adm:4.2.1:rge2:*:*:*:*:*:*",
"matchCriteriaId": "62B4CDB5-AF06-40D1-A243-7577BAF3D001",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:looksgood:2.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B03279A2-073F-463B-86FA-2BC862F94227",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:looksgood:2.0.0:r129:*:*:*:*:*:*",
"matchCriteriaId": "D64E2127-EB5B-450A-A4A0-0967CAC153C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:soundsgood:2.3.0:-:*:*:*:*:*:*",
"matchCriteriaId": "6311BD0B-3160-4C44-A837-414885F6EABF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:asustor:soundsgood:2.3.0:r1027:*:*:*:*:*:*",
"matchCriteriaId": "B0CE69E6-949C-4A8D-B54C-03398447D012",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below."
}
],
"id": "CVE-2023-2509",
"lastModified": "2024-11-21T07:58:44.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.5,
"source": "security@asustor.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-17T07:15:08.567",
"references": [
{
"source": "security@asustor.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
}
],
"sourceIdentifier": "security@asustor.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@asustor.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2018-11343
Vulnerability from cvelistv5
Published
2018-05-22 01:00
Modified
2024-08-05 08:01
Severity ?
EPSS score ?
Summary
A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation | x_refsource_MISC | |
| https://github.com/mefulton/asustorexploit | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2018/May/2 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:01:53.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mefulton/asustorexploit"
},
{
"name": "20180429 ASUSTOR ADM 3.1.0.RFQ3 and below vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2018/May/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the \u0027playlist\u0027 POST parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-16T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mefulton/asustorexploit"
},
{
"name": "20180429 ASUSTOR ADM 3.1.0.RFQ3 and below vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2018/May/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-11343",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the \u0027playlist\u0027 POST parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation",
"refsource": "MISC",
"url": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation"
},
{
"name": "https://github.com/mefulton/asustorexploit",
"refsource": "MISC",
"url": "https://github.com/mefulton/asustorexploit"
},
{
"name": "20180429 ASUSTOR ADM 3.1.0.RFQ3 and below vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2018/May/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-11343",
"datePublished": "2018-05-22T01:00:00",
"dateReserved": "2018-05-21T00:00:00",
"dateUpdated": "2024-08-05T08:01:53.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2509
Vulnerability from cvelistv5
Published
2023-05-17 06:33
Modified
2025-01-22 16:51
Severity ?
EPSS score ?
Summary
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.asustor.com/security/security_advisory_detail?id=22 | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:08.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T16:51:21.778917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T16:51:46.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Web Center",
"platforms": [
"Linux",
"x86",
"64 bit",
"ARM"
],
"product": "ADM",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "4.0.6.REG2",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.1.0.RLQ1",
"status": "affected",
"version": "4.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.2.1.RGE2",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "LooksGood",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "2.0.0.R129",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"x86",
"ARM",
"64 bit"
],
"product": "SoundsGood",
"vendor": "ASUSTOR",
"versions": [
{
"lessThanOrEqual": "2.3.0.r1027",
"status": "affected",
"version": "2.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Zhiyong Xing, Inner Mongolia Xinyuan Network Security Technology Co., Ltd., China"
}
],
"datePublic": "2023-06-06T07:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below."
}
],
"value": "A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T01:34:00.464Z",
"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"shortName": "ASUSTOR1"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.asustor.com/security/security_advisory_detail?id=22"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "A Cross-Site Scripting(XSS) vulnerability was found on ADM",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77",
"assignerShortName": "ASUSTOR1",
"cveId": "CVE-2023-2509",
"datePublished": "2023-05-17T06:33:37.536Z",
"dateReserved": "2023-05-04T03:31:16.029Z",
"dateUpdated": "2025-01-22T16:51:46.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}