cbcvebase.

Wowza Streaming Engine vulnerabilities

26 known vulnerabilities affecting wowza/streaming_engine.

Total CVEs
26
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH10MEDIUM12LOW1

Vulnerabilities

Page 1 of 2
CVE-2018-19365P1CRITICALCVSS 9.1ExploitedPoCv4.7.4.0.12019-03-21
CVE-2018-19365 [CRITICAL] CWE-22 CVE-2018-19365: The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retr The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request.
nvd
CVE-2020-9004P3HIGHCVSS 8.8≤ 4.8.02020-04-14
CVE-2020-9004 [HIGH] CWE-306 CVE-2020-9004: A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlie A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was
nvd
CVE-2018-7047P3CRITICALCVSS 9.8fixed in 4.7.12018-03-01
CVE-2018-7047 [CRITICAL] CWE-798 CVE-2018-7047: An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well).
nvd
CVE-2024-52053P3CRITICALCVSS 9.6≥ 4.3.0, < 4.9.1fixed in 4.9.12024-11-21
CVE-2024-52053 [CRITICAL] CWE-79 CVE-2024-52053: Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically hijack admin accounts.
nvd
CVE-2016-20034P3HIGHCVSS 8.0v4.5.02026-03-16
CVE-2016-20034 [HIGH] CWE-352 CVE-2016-20034: Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative acce
nvd
CVE-2024-52052P3HIGHCVSS 7.2≥ 4.3.0, < 4.9.12024-11-21
CVE-2024-52052 [HIGH] CWE-646 CVE-2024-52052: Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator t Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution.
nvd
CVE-2016-20033P3HIGHCVSS 7.8v4.5.02026-03-16
CVE-2016-20033 [HIGH] CWE-639 CVE-2016-20033: Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authent Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious exe
nvd
CVE-2019-19454P3HIGHCVSS 7.5≥ 4.0.0, ≤ 4.8.02020-05-18
CVE-2019-19454 [HIGH] CVE-2019-19454: An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine < An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.
nvd
CVE-2019-7656P3HIGHCVSS 7.8≤ 4.8.02020-01-29
CVE-2019-7656 [HIGH] CWE-732 CVE-2019-7656: A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivil A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza serve
nvd
CVE-2019-19455P3HIGHCVSS 7.8fixed in 4.8.52020-08-03
CVE-2019-19455 [HIGH] CWE-732 CVE-2019-19455: Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to esc Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root. This issue was resolved in Wowza Streaming Engine 4.8.5.
nvd
CVE-2021-35492P3MEDIUMCVSS 6.5≤ 4.8.112021-10-05
CVE-2021-35492 [MEDIUM] CWE-770 CVE-2021-35492: Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust fil Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring sec
nvd
CVE-2024-52056P3MEDIUMCVSS 6.5≥ 4.3.0, < 4.9.12024-11-21
CVE-2024-52056 [MEDIUM] CWE-22 CVE-2024-52056: Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrato Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to delete any directory on the file system if the target directory contains an XML definition file.
nvd
CVE-2021-35491P3HIGHCVSS 8.1fixed in 4.8.142021-10-05
CVE-2021-35491 [HIGH] CWE-352 CVE-2021-35491: A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14.
nvd
CVE-2021-31540P4HIGHCVSS 7.1≤ 4.8.52021-04-23
CVE-2021-31540 [HIGH] CWE-732 CVE-2021-31540: Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of c Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.
nvd
CVE-2018-7048P4HIGHCVSS 7.5fixed in 4.7.12018-03-01
CVE-2018-7048 [HIGH] CWE-400 CVE-2018-7048: An issue was discovered in Wowza Streaming Engine before 4.7.1. There is a denial of service (memory An issue was discovered in Wowza Streaming Engine before 4.7.1. There is a denial of service (memory consumption) via a crafted HTTP request.
nvd
CVE-2019-7654P4MEDIUMCVSS 6.5≤ 4.8.02020-01-29
CVE-2019-7654 [MEDIUM] CWE-352 CVE-2019-7654: Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5.
nvd
CVE-2017-16922P4MEDIUMCVSS 5.3fixed in 4.7.12018-03-05
CVE-2017-16922 [MEDIUM] CWE-22 CVE-2017-16922: In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, trav In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, traversal of the directory structure and retrieval of a file are possible via a remote, specifically crafted HTTP request.
nvd
CVE-2024-52055P4MEDIUMCVSS 4.9≥ 4.3.0, < 4.9.12024-11-21
CVE-2024-52055 [MEDIUM] CWE-22 CVE-2024-52055: Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrato Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to read any file on the file system if the target directory contains an XML definition file.
nvd
CVE-2016-20036P4MEDIUMCVSS 6.1v4.5.02026-03-16
CVE-2016-20036 [MEDIUM] CWE-79 CVE-2016-20036: Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType
nvd
CVE-2018-7049P4MEDIUMCVSS 6.1fixed in 4.7.12018-03-01
CVE-2018-7049 [MEDIUM] CWE-79 CVE-2018-7049: An issue was discovered in Wowza Streaming Engine before 4.7.1. There is an XSS vulnerability in the An issue was discovered in Wowza Streaming Engine before 4.7.1. There is an XSS vulnerability in the HTTP providers (com.wowza.wms.http.HTTPProviderMediaList and com.wowza.wms.http.streammanager.HTTPStreamManager) causing script injection and/or reflection via a crafted HTTP request.
nvd