Vulnerability resides in “openLiveURL” function of Supra Smart Cloud TV due to lack of authentication or session management. As shown in the PoC URL, the vulnerability could allow a local attacker to inject a remote file in the broadcast and display fake videos without any authentication. As demonstrated by Dhiraj Mishra, the exploit allowed him to broadcast a fake “Emergency Alert” while the TV was playing a speech of Steve Jobs. The vulnerability has been given a CVE ID, but it is unlikely to be patched.
Source: https://thehackernews.com/2019/06/supra-smart-tv-hack.html