RSS   Vulnerabilities for 'Streaming engine'   RSS

2021-10-05
 
CVE-2021-35491

CWE-352
 

 
A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request.

 
 
CVE-2021-35492

CWE-400
 

 
Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)

 
2021-04-23
 
CVE-2021-31540

CWE-732
 

 
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

 
 
CVE-2021-31539

CWE-312
 

 
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.

 
2020-08-03
 
CVE-2019-19455

CWE-269
 

 
Wowza Streaming Engine through 2019-11-28 has Insecure Permissions.

 
 
CVE-2019-19453

CWE-79
 

 
Wowza Streaming Engine through 2019-11-28 allows XSS (issue 1 of 2).

 
2020-05-18
 
CVE-2019-19456

CWE-79
 

 
A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x.

 
 
CVE-2019-19454

NVD-CWE-noinfo
 

 
An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x

 
2020-04-14
 
CVE-2020-9004

CWE-863
 

 
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.7.8 (build 20191105123929) allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges.

 
2020-01-29
 
CVE-2019-7656

CWE-276
 

 
A privilege escalation vulnerability in Wowza Streaming Engine 4.7.7 and 4.7.8 allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse.

 


Copyright 2024, cxsecurity.com

 

Back to Top