Infodraw · Infodraw Media Relay Service · CVE-2025-43928
**Name of the Vulnerable Software and Affected Versions**
Infodraw Media Relay Service version 7.1.0.0
**Description**
The issue allows reading arbitrary files via ../ directory traversal in the `username` field. This can potentially reveal administrator credentials in cleartext or with MD5 hashing when reading ServerParameters.xml. The MRS web server, which is affected, operates on port 12654.
**Recommendations**
For Infodraw Media Relay Service version 7.1.0.0, consider disabling the `username` field in the MRS web server as a temporary workaround until a patch is available. Restrict access to the ServerParameters.xml file to minimize the risk of exploitation. Avoid using the `username` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.