CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7656
https://notcve.org/view.php?id=CVE-2019-7656
A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.8.5. • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7656-PrivEscal-Wowza https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-7656.txt https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes https://www.wowza.com/pricing/installer • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7654
https://notcve.org/view.php?id=CVE-2019-7654
Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5. Wowza Streaming Engine versiones 4.8.0 y anteriores, sufre de múltiples vulnerabilidades de tipo CSRF. Por ejemplo, un administrador, al seguir un enlace, puede ser engañado para hacer cambios no deseados, como agregar otro usuario administrador por medio del archivo enginemanager/server/user/edit.htm en el componente Server->Users. • https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-7654-CSRF-Wowza https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2019-7654.txt https://www.wowza.com/docs/wowza-streaming-engine-4-8-5-release-notes https://www.wowza.com/pricing/installer • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 1CVE-2018-19365
https://notcve.org/view.php?id=CVE-2018-19365
The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request. La API REST en Wowza Streaming Engine 4.7.4.01 permite el salto de la estructura de directorio y la recuperación de un archivo mediante una petición HTTP remota y especialmente manipulada. • https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16922
https://notcve.org/view.php?id=CVE-2017-16922
In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, traversal of the directory structure and retrieval of a file are possible via a remote, specifically crafted HTTP request. En com.wowza.wms.timedtext.http.HTTPProviderCaptionFile en Wowza Streaming Engine en versiones anteriores a la 4.7.1, es posible el salto de la estructura de directorio y la recuperación de un archivo mediante una petición HTTP remota y especialmente manipulada. • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2017-16922.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2018-7047
https://notcve.org/view.php?id=CVE-2018-7047
An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well). Se ha descubierto un problema en MBeans Server en Wowza Streaming Engine, en versiones anteriores a la 4.7.1. El sistema de archivos podría leerse y escribirse mediante JMX empleando las credenciales JMX por defecto (también podría ser posible la ejecución remota de código). • https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-7047.txt https://www.wowza.com/docs/wowza-streaming-engine-4-7-1-release-notes • CWE-798: Use of Hard-coded Credentials •