#1 Path Traversal
It is possible to read/write/delete files or list directories by using "../" to traverse to other folders via requests to /cockpit/media/api
Example of a vulnerable request:
POST /cockpit/media/api HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
#2 Application Wide CSRF
The application lacks anti-csrf protection mechanism, thus, an attacker is able to change API tokens and passwords.
#3 Application Wide XSS
The application is vulnerable to XSS attacks.
The mentioned issues were targeted in the 0.6.2 release.