CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19453
https://notcve.org/view.php?id=CVE-2019-19453
Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine en versiones anteriores a la 4.8.5 permite un ataque de tipo XSS (problema 1 de 2). Un usuario autenticado, con acceso a la edición de la licencia de proxy, puede insertar una carga útil maliciosa que se activará en la página principal de la configuración del servidor. • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19453.txt https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19456
https://notcve.org/view.php?id=CVE-2019-19456
A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. Una vulnerabilidad de tipo XSS reflejado fue encontrado en el cuadro de selección del servidor dentro de la página de inicio de sesión en: el archivo enginemanager/loginfailed.html en Wowza Streaming Engine versiones anteriores a 4.x.x. Este problema se resolvió en Wowza Streaming Engine 4.8.0 • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19456.txt https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-0-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19454
https://notcve.org/view.php?id=CVE-2019-19454
An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. Una descarga de archivos arbitraria fue encontrada en la funcionalidad "Download Log" de Wowza Streaming Engine versiones anteriores a 4.x.x. Este problema se resolvió en Wowza Streaming Engine 4.8.0 • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-19454.txt https://www.gruppotim.it/redteam https://www.wowza.com/docs/wowza-streaming-engine-4-8-0-release-notes •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2020-9004
https://notcve.org/view.php?id=CVE-2020-9004
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5. Una vulnerabilidad de omisión de autorización autenticada remota en Wowza Streaming Engine versión 4.8.0 y anteriores permite a cualquier usuario de sólo lectura emitir peticiones al panel de administración para cambiar la funcionalidad. Por ejemplo, un usuario de sólo lectura puede activar el puerto Java JMX en modo no autenticado y ejecutar comandos del Sistema Operativo con privilegios de root. • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-9004-Authenticated%20Remote%20Authorization%20Bypass%20Leading%20to%20RCE-Wowza https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2020-9004.txt https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7655
https://notcve.org/view.php?id=CVE-2019-7655
Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine versiones 4.8.0 y anteriores, sufre de múltiples vulnerabilidades de tipo XSS autenticado por medio del (1) campo customList%5B0%5D.value en el archivo enginemanager/server/serversetup/edit_adv.htm de la configuración de Server Setup o el (2) campo host en el archivo enginemanager/j_spring_security_check del formulario de inicio de sesión. Este problema se resolvió en el Wowza Streaming Engine 4.8.5 • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7655-XSS-Wowza https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-7655.txt https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes https://www.wowza.com/pricing/installer • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •