All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files.
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.