Karl W

**Name of the Vulnerable Software and Affected Versions** Appear TV XC5000 and XC5100 devices with firmware 3.26.217 **Description** The issue allows an attacker to read OS files by sending a specially crafted HTTP request, such as GET /../../../../../../../../../../../../etc/passwd, to the web server (fuzzd/0.1.1) running the Maintenance Center on port TCP/8088. This can potentially lead to full compromise of the device. **Recommendations** For Appear TV XC5000 and XC5100 devices with firmware 3.26.217, consider restricting access to the Maintenance Center on port TCP/8088 as a temporary workaround until a patch is available. Avoid using the web server to access sensitive OS files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.