Posted by naphthalin via Fulldisclosure on Sep 04
The internet radio device auna IR-160 SE has multiple vulnerabilities.
It uses the firmware UIProto, different versions of which can also be
found in many other radios.
1. The firmware offers a rudimentary web API that can be reached on the
local network on port 80. This API is completely unauthenticated,
allowing anyone to control the radio over the local network. (already
known as CVE-2019-13474, but relevant for the other two findings)...