CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-35492
https://notcve.org/view.php?id=CVE-2021-35492
Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.) • https://github.com/N4nj0/CVE-2021-35492 https://n4nj0.github.io/advisories/wowza-streaming-engine-i https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-35491
https://notcve.org/view.php?id=CVE-2021-35491
A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14. Una vulnerabilidad de falsificación de solicitud de sitio cruzado (CSRF) en Wowza Streaming Engine a través de 4.8.11+5 permite a un atacante remoto eliminar una cuenta de usuario a través del parámetro userName de /enginemanager/server/user/delete.htm. La aplicación no implementa un token CSRF para la solicitud GET. • https://n4nj0.github.io/advisories/wowza-streaming-engine-i https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notes • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-31539
https://notcve.org/view.php?id=CVE-2021-31539
Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords. Wowza Streaming Engine versiones hasta 4.8.8.01 (en una instalación predeterminada) presenta contraseñas de texto sin cifrar almacenadas en el archivo conf/admin.password. Un usuario local habitual puede leer nombres de usuario y contraseñas • https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-8-01-release-notes#breaking https://www.wowza.com/products/streaming-engine • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-31540
https://notcve.org/view.php?id=CVE-2021-31540
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration. Wowza Streaming Engine versiones hasta 4.8.5 (en una instalación predeterminada) presenta permisos de archivo incorrectos de archivos de configuración en el directorio conf/. Un usuario local habitual puede leer y escribir en todos los archivos de configuración, por ejemplo, modificar la configuración del servidor de aplicaciones • https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-12-release-notes https://www.wowza.com/products/streaming-engine • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19455
https://notcve.org/view.php?id=CVE-2019-19455
Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine en versiones anteriores a la 4.8.5 tiene permisos inseguros que pueden permitir a un atacante local escalar privilegios in / usr / local / WowzaStreamingEngine / manager / bin / en la versión Linux del servidor escribiendo comandos arbitrarios en cualquier archivo y ejecutarlos como root. Este problema fue resuelto en Wowza Streaming Engine 4.8.5. • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19455.txt https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes • CWE-732: Incorrect Permission Assignment for Critical Resource •