SSRF on http://www.███████/crossdomain.php via url parameter

The researcher reported that a Sony endpoint was vulnerable to Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities. The researcher used the LFI vulnerability to read sensitive files such as /etc/passwd from the web server. The researcher also demonstrated using the SSRF vulnerability to view EC2 instance metadata, and to retrieve an externally hosted .svg file to execute a reflected Cross-Site Scripting (XSS) attack.