VYPR
Vendor

Wowza

Products
1
CVEs
26
Across products
26
Status
Private

Products

1

Recent CVEs

26
View all 26 CVEs →
  • CVE-2018-7047CriMar 1, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well).

  • CVE-2024-52053CriNov 21, 2024
    risk 0.62cvss 9.6epss 0.01

    Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically hijack admin accounts.

  • CVE-2018-19365CriMar 21, 2019
    risk 0.61cvss 9.1epss 0.22

    The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request.

  • CVE-2020-9004HigApr 14, 2020
    risk 0.57cvss 8.8epss 0.04

    A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in…

  • CVE-2021-35491HigOct 5, 2021
    risk 0.53cvss 8.1epss 0.01

    A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request.…

  • CVE-2019-19455HigAug 3, 2020
    risk 0.51cvss 7.8epss 0.00

    Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root.…

  • CVE-2019-7656HigJan 29, 2020
    risk 0.51cvss 7.8epss 0.00

    A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into…

  • CVE-2019-19454HigMay 18, 2020
    risk 0.49cvss 7.5epss 0.02

    An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.

  • CVE-2018-7048HigMar 1, 2018
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in Wowza Streaming Engine before 4.7.1. There is a denial of service (memory consumption) via a crafted HTTP request.

  • CVE-2024-52052HigNov 21, 2024
    risk 0.47cvss 7.2epss 0.00

    Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution.

  • CVE-2021-31540HigApr 23, 2021
    risk 0.46cvss 7.1epss 0.00

    Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

  • CVE-2021-35492MedOct 5, 2021
    risk 0.43cvss 6.5epss 0.03

    Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker…

  • CVE-2024-52056MedNov 21, 2024
    risk 0.42cvss 6.5epss 0.01

    Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to delete any directory on the file system if the target directory contains an XML definition file.

  • CVE-2019-7654MedJan 29, 2020
    risk 0.42cvss 6.5epss 0.01

    Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users…

  • CVE-2019-19456MedMay 18, 2020
    risk 0.40cvss 6.1epss 0.01

    A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.

  • CVE-2018-7049MedMar 1, 2018
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Wowza Streaming Engine before 4.7.1. There is an XSS vulnerability in the HTTP providers (com.wowza.wms.http.HTTPProviderMediaList and com.wowza.wms.http.streammanager.HTTPStreamManager) causing script injection and/or reflection via a crafted HTTP…

  • CVE-2021-31539MedApr 23, 2021
    risk 0.36cvss 5.5epss 0.00

    Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.

  • CVE-2019-19453MedAug 3, 2020
    risk 0.35cvss 5.4epss 0.01

    Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine…

  • CVE-2019-7655MedJan 29, 2020
    risk 0.35cvss 5.4epss 0.01

    Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of…

  • CVE-2017-16922MedMar 5, 2018
    risk 0.35cvss 5.3epss 0.01

    In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, traversal of the directory structure and retrieval of a file are possible via a remote, specifically crafted HTTP request.