OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system. An attacker can abuse this to run arbitrary commands as any user available on the system (including root).
94cc0202bafd6d8e09dab8de5983f2f26db28f5d5e4ab61e3830ec9bd40f3b41