OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows malicious users to execute system commands as root by modifying the "name" POST parameter.
asustor data_master 3.1.1