MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with action=getconfig to retrieve a complete system configuration archive containing sensitive credentials.
The product stores a password in a configuration file that might be accessible to actors who do not know the password.