There is a function in AutomationDirect C-MORE EA9 HMI that allows an malicious user to send a relative path in the URL without proper sanitizing of the content.