CVE-2016-5639

Name of the Vulnerable Software and Affected Versions Crestron AirMedia AM-100 versions prior to 1.4.0.13

Description A directory traversal issue exists in the cgi-bin/login.cgi file, allowing remote attackers to read arbitrary files by including a .. (dot dot) in the src parameter of the affected API endpoint.

Recommendations For versions prior to 1.4.0.13, update the firmware to version 1.4.0.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the cgi-bin/login.cgi file until the update is applied. Avoid using the src parameter in the vulnerable endpoint until the issue is resolved.