CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19453
https://notcve.org/view.php?id=CVE-2019-19453
03 Aug 2020 — Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine en versiones anteriores a la 4.8.5 permite un ataque de tipo XSS (problema 1 de 2). Un usuario autenticado, con acceso a la edición de la licencia de proxy, puede insertar una carga útil maliciosa que se act... • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19453.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19456
https://notcve.org/view.php?id=CVE-2019-19456
18 May 2020 — A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. Una vulnerabilidad de tipo XSS reflejado fue encontrado en el cuadro de selección del servidor dentro de la página de inicio de sesión en: el archivo enginemanager/loginfailed.html en Wowza Streaming Engine versiones anteriores a 4.x.x. Este problema se resolvió en Wowza Streaming Engine 4.8.0 • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19456.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19454
https://notcve.org/view.php?id=CVE-2019-19454
18 May 2020 — An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. Una descarga de archivos arbitraria fue encontrada en la funcionalidad "Download Log" de Wowza Streaming Engine versiones anteriores a 4.x.x. Este problema se resolvió en Wowza Streaming Engine 4.8.0 • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19454.txt •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2020-9004
https://notcve.org/view.php?id=CVE-2020-9004
14 Apr 2020 — A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5. Una vulnerabilidad de omisión de autorización autenticada remota en Wowza Streaming Engine versión 4.8.0 y anterior... • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-9004-Authenticated%20Remote%20Authorization%20Bypass%20Leading%20to%20RCE-Wowza • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7655
https://notcve.org/view.php?id=CVE-2019-7655
29 Jan 2020 — Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine versiones 4.8.0 y anteriores, sufre de múltiples vulnerabilidades de tipo XSS autenticado por medio del (1) campo customList%5B0%5D.valu... • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7655-XSS-Wowza • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7656
https://notcve.org/view.php?id=CVE-2019-7656
29 Jan 2020 — A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.... • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7656-PrivEscal-Wowza • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7654
https://notcve.org/view.php?id=CVE-2019-7654
29 Jan 2020 — Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine versiones 4.8.0 y anteriores, sufre de múltiples vulnerabilidades de tipo CSRF. Por ejemplo, un administrador, al seguir un enlace, puede ser enga... • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7654-CSRF-Wowza • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 2%CPEs: 1EXPL: 1CVE-2018-19365
https://notcve.org/view.php?id=CVE-2018-19365
18 Mar 2019 — The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request. La API REST en Wowza Streaming Engine 4.7.4.01 permite el salto de la estructura de directorio y la recuperación de un archivo mediante una petición HTTP remota y especialmente manipulada. • https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16922
https://notcve.org/view.php?id=CVE-2017-16922
05 Mar 2018 — In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, traversal of the directory structure and retrieval of a file are possible via a remote, specifically crafted HTTP request. En com.wowza.wms.timedtext.http.HTTPProviderCaptionFile en Wowza Streaming Engine en versiones anteriores a la 4.7.1, es posible el salto de la estructura de directorio y la recuperación de un archivo mediante una petición HTTP remota y especialmente manipulada. • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2017-16922.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7049
https://notcve.org/view.php?id=CVE-2018-7049
01 Mar 2018 — An issue was discovered in Wowza Streaming Engine before 4.7.1. There is an XSS vulnerability in the HTTP providers (com.wowza.wms.http.HTTPProviderMediaList and com.wowza.wms.http.streammanager.HTTPStreamManager) causing script injection and/or reflection via a crafted HTTP request. Se ha descubierto un problema en Wowza Streaming Engine, en versiones anteriores a la 4.7.1. Hay una vulnerabilidad de Cross-Site Scripting (XSS) en los proveedores HTTP (com.wowza.wms.http.HTTPProviderMediaList y com.wowza.wms... • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-7049.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •