Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter.
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md
http://www.securityfocus.com/bid/92216
http://www.kb.cert.org/vuls/id/603047
https://www.exploit-db.com/exploits/40813/
Source: Mitre, NVD
Published: 2016-08-03
Updated: 2026-06-17
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Severity: Medium
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: High
EPSS: 0.20842