RSS   Vulnerabilities for 'Streaming engine'   RSS

2021-04-23
 
CVE-2021-31540

CWE-732
 

 
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

 
 
CVE-2021-31539

CWE-312
 

 
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.

 
2020-08-03
 
CVE-2019-19455

CWE-269
 

 
Wowza Streaming Engine through 2019-11-28 has Insecure Permissions.

 
 
CVE-2019-19453

CWE-79
 

 
Wowza Streaming Engine through 2019-11-28 allows XSS (issue 1 of 2).

 
2020-05-18
 
CVE-2019-19456

CWE-79
 

 
A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x.

 
 
CVE-2019-19454

NVD-CWE-noinfo
 

 
An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x

 
2020-04-14
 
CVE-2020-9004

CWE-863
 

 
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.7.8 (build 20191105123929) allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges.

 
2020-01-29
 
CVE-2019-7656

CWE-276
 

 
A privilege escalation vulnerability in Wowza Streaming Engine 4.7.7 and 4.7.8 allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse.

 
 
CVE-2019-7655

CWE-79
 

 
Wowza Streaming Engine 4.7.7 and 4.7.8 suffers from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form.

 
 
CVE-2019-7654

CWE-352
 

 
Wowza Streaming Engine 4.7.7 and 4.7.8 suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component.

 


Copyright 2021, cxsecurity.com

 

Back to Top