ASUSTOR ADM Improper Access Control Vulnerability in EZ Sync Manager Allowing Unauthorized File Access

A vulnerability has been identified in the EZ Sync Manager of ASUSTOR's ADM operating system, specifically in versions 4.1.0 prior to 4.3.3.RH61, as well as ADM 5.0.0.RIN1 and earlier. This vulnerability arises from improper access control, allowing authenticated users to copy arbitrary files from the server's file system to their own EZ Sync folder. The issue stems from a lack of authorization checks on the file parameter of the HTTP request. Exploitation of this vulnerability could lead to unauthorized access to sensitive data, as attackers may retrieve files outside their authorized scope, provided those files are readable by other users on the underlying operating system.

Impact

Exploitation of this vulnerability could result in the unauthorized exposure of sensitive data by allowing authenticated users to access and copy files from the server file system into their own EZ Sync folder, bypassing access controls.