AV Stumpfl Pixera Two Media Server Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in AV Stumpfl Pixera Two Media Server versions prior to 25.2 R3. The issue resides in an unknown function of the component Service Port 1338, leading to arbitrary file read capabilities. Exploitation of this vulnerability allows unauthorized users to read any file on the server, potentially disclosing sensitive information such as system files or registry data that could be leveraged for further attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of information, allowing attackers to read arbitrary files on the server. This could include sensitive system files or registry data, which might contain exploitable information such as hashed passwords.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the Pixera Media Server's web server on port 1338. The request must include a path traversal payload that navigates up the directory structure to access sensitive files, such as the Windows system file 'win.ini'.

Remediation

Users are advised to upgrade to AV Stumpfl Pixera version 25.2 R3, released on October 14, 2025. In this version, Pixera introduced API allow-listing to limit API access, which can help mitigate the vulnerability. Additionally, applying strict IP whitelisting to restrict access to the web panel and API from trusted sources is recommended.