CVE-2022-23178

Name of the Vulnerable Software and Affected Versions Crestron HD-MD4X2-4K-E version 1.0.0.2159

Description An issue was discovered where user credentials are disclosed when the administrative web interface of the HDMI switcher is accessed unauthenticated. The aj.html page sends a JSON document with uname and upassword fields, which contain valid credentials to authenticate to the web interface.

Recommendations For Crestron HD-MD4X2-4K-E version 1.0.0.2159, consider restricting access to the administrative web interface until a fix is available. As a temporary workaround, avoid using the aj.html page or restrict access to it to minimize the risk of credential disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.