CVE-2025-43928 PUBLISHED

Assigner: mitre
Reserved: 20.04.2025 Published: 20.04.2025 Updated: 20.04.2025

In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVSS Score: 5.8

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Infodraw
Product	Media Relay Service
Versions	Default: unknown Version 7.1.0.0 is affected

References

https://mint-secure.de/path-traversal-vulnerability-in-surveillance-software/
https://cfp.eh22.easterhegg.eu/eh22/talk/9UDXSE/

Problem Types

CWE-24 Path Traversal: '../filedir' CWE