wowza 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、パス処理の欠陥, and vendor risk csrf に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2016-20036 | Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session. | [email protected] | 5.1 | 0.05% | 2026-03-16 | 2026-03-19 |
| CVE-2016-20035 | Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials. | [email protected] | 6.9 | 0.05% | 2026-03-16 | 2026-03-19 |
| CVE-2016-20034 | Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access. | [email protected] | 8.7 | 0.02% | 2026-03-16 | 2026-03-19 |
| CVE-2016-20033 | Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart. | [email protected] | 8.5 | 0.01% | 2026-03-16 | 2026-03-19 |
| CVE-2024-52056 | Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to delete any directory on the file system if the target directory contains an XML definition file. | [email protected] | 6.9 | 0.17% | 2024-11-21 | 2025-03-03 |
| CVE-2024-52055 | Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to read any file on the file system if the target directory contains an XML definition file. | [email protected] | 8.2 | 0.18% | 2024-11-21 | 2025-03-03 |
| CVE-2024-52054 | Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to create an XML definition file anywhere on the file system. | [email protected] | 5.1 | 0.16% | 2024-11-21 | 2025-03-03 |
| CVE-2024-52053 | Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically hijack admin accounts. | [email protected] | 8.7 | 0.76% | 2024-11-21 | 2025-03-03 |
| CVE-2024-52052 | Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution. | [email protected] | 9.4 | 3.52% | 2024-11-21 | 2025-02-26 |
| CVE-2021-35492 | Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker t | [email protected] | 6.5 | 12.98% | 2021-10-05 | 2024-11-21 |
| CVE-2021-35491 | A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14. | [email protected] | 8.1 | 0.20% | 2021-10-05 | 2024-11-21 |
| CVE-2021-31540 | Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration. | [email protected] | 7.1 | 0.03% | 2021-04-23 | 2024-11-21 |
| CVE-2021-31539 | Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords. | [email protected] | 5.5 | 0.04% | 2021-04-23 | 2024-11-21 |
| CVE-2019-19455 | Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root. This issue was resolved in Wowza Streaming Engine 4.8.5. | [email protected] | 7.8 | 0.03% | 2020-08-03 | 2024-11-21 |
| CVE-2019-19453 | Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5. | [email protected] | 5.4 | 0.43% | 2020-08-03 | 2024-11-21 |
| CVE-2019-19456 | A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. | [email protected] | 6.1 | 0.26% | 2020-05-18 | 2024-11-21 |
| CVE-2019-19454 | An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0. | [email protected] | 7.5 | 0.73% | 2020-05-18 | 2024-11-21 |
| CVE-2020-9004 | A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5. | [email protected] | 8.8 | 0.54% | 2020-04-14 | 2024-11-21 |
| CVE-2019-7656 | A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streami | [email protected] | 7.8 | 0.08% | 2020-01-29 | 2024-11-21 |
| CVE-2019-7655 | Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5. | [email protected] | 5.4 | 0.55% | 2020-01-29 | 2024-11-21 |