Crestron · Crestron Airmedia Am-100 · CVE-2016-5639
**Name of the Vulnerable Software and Affected Versions**
Crestron AirMedia AM-100 versions prior to 1.4.0.13
**Description**
A directory traversal issue exists in the cgi-bin/login.cgi file, allowing remote attackers to read arbitrary files by including a .. (dot dot) in the `src` parameter of the affected API endpoint.
**Recommendations**
For versions prior to 1.4.0.13, update the firmware to version 1.4.0.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/login.cgi file until the update is applied. Avoid using the `src` parameter in the vulnerable endpoint until the issue is resolved.