CVE-2025-7380
MEDIUMASUSTOR ADM <= 5.0.0.RIN1 - Shared Folder Stored Cross-Site Scripting
Title source: manualDescription
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user's session, potentially accessing session cookies or other sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://www.asustor.com/security/security_advisory_detail?id=44
Scores
CVSS v4
4.8
EPSS
0.0028
EPSS Percentile
19.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
ASUSTOR/ADM
4.1.0 - 4.3.3.RH61
ASUSTOR/ADM
5.0.0 - 5.0.0.RIN1
Published
Jul 14, 2025
Tracked Since
Feb 18, 2026