EUVD-2016-10827CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Description
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.
Analysis
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting (XSS) vulnerabilities in the enginemanager interface where user-supplied input through parameters (appName, vhost, uiAppType, wowzaCloudDestinationType) is not properly sanitized before being returned to users. An attacker can inject malicious JavaScript to execute arbitrary code in a victim's browser session, potentially compromising administrator credentials or session tokens. A public proof-of-concept exploit exists, increasing real-world exploitation risk.
Technical Context
The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw where the enginemanager web interface fails to properly encode or validate user input before reflecting it in HTTP responses. The affected product is specifically Wowza Streaming Engine (CPE: cpe:2.3:a:wowza_media_systems,_llc.:wowza_streaming_engine:*:*:*:*:*:*:*:*), a commercial multimedia streaming platform. The vulnerability affects version 4.5.0 at minimum. The enginemanager is a web-based administrative interface that processes multiple query/POST parameters without adequate output encoding, allowing attackers to inject payloads that execute in the context of authenticated admin sessions.
Affected Products
Wowza Streaming Engine version 4.5.0 (confirmed in EUVD-2016-10827). The CPE mask cpe:2.3:a:wowza_media_systems,_llc.:wowza_streaming_engine:*:*:*:*:*:*:*:* suggests potential impact on other versions, but EUVD documentation confirms 4.5.0 as the reported affected version. The enginemanager interface is the attack surface. Vendor: Wowza Media Systems, LLC. No vendor advisory link was provided in the reference set, though ZeroScience (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php) and VulnCheck (https://www.vulncheck.com/advisories/wowza-streaming-engine-multiple-cross-site-scripting-vulnerabilities) published advisories.
Remediation
Specific patch version not explicitly stated in provided data. Recommended remediation steps: (1) Upgrade Wowza Streaming Engine to a version released after 4.5.0 that addresses XSS sanitization (consult Wowza release notes); (2) Implement Web Application Firewall (WAF) rules to block payloads containing script tags or event handlers in parameters (appName, vhost, uiAppType, wowzaCloudDestinationType); (3) Apply HTTP-only and Secure flags to session cookies to mitigate session hijacking via XSS; (4) Implement Content Security Policy (CSP) headers to restrict inline script execution; (5) Restrict administrative interface access via IP allowlisting or VPN; (6) Update input validation and output encoding in enginemanager endpoints to use context-aware encoding libraries. Consult Wowza Media Systems official patch documentation or contact vendor support for specific upgrade paths.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today