An issue was discovered in Polycom Web Management Interface G3/HDX 8000 HD with Durango 2.6.0 4740 software and embedded Polycom Linux Development Platform 2.14.g3. It has a blank administrative password by default, and can be successfully used without setting this password.

Polycom HDX Video End Points before 3.0 allows attackers to read arbitrary files via a .. (dot dot) in the name parameter to a_getlog.cgi.