A chained exploit that leverages a persistent cross site scripting and ends up with a root shell. I had attempted to work with Asustor in order to disclose this through their security team as it states to do so via Mitre as they are a CNA, however I had zero luck in receiving contact with the security team there. Link to a write up: https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation
Update - 22 May 2018, Mitre has assigned some CVE identifiers for the bugs detailed in the blog post:
CVE-2018-11340 CVE-2018-11341 CVE-2018-11342 CVE-2018-11343 CVE-2018-11344 CVE-2018-11345 CVE-2018-11346