Skip to main content

Streaming Engine CVE-2024-52053

HIGH
Cross-site Scripting (XSS) (CWE-79)
2024-11-21 cve@rapid7.com
8.7
CVSS 4.0 · Vendor: rapid7
Share

Severity by source

Vendor (rapid7) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (rapid7) · only source for this CVE.

CVSS VectorVendor: rapid7

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
CVE Published
Nov 21, 2024 - 23:15 cve.org
HIGH 8.7

DescriptionCVE.org

Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically hijack admin accounts.

AnalysisAI

Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically hijack admin accounts. Affected products include: Wowza Streaming Engine.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2020-9004 HIGH POC
8.8 Apr 14

A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-on

CVE-2021-35491 HIGH POC
8.1 Oct 05

A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to

CVE-2021-31540 HIGH POC
7.1 Apr 23

Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files i

CVE-2021-35492 MEDIUM POC
6.5 Oct 05

Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources vi

CVE-2018-7047 CRITICAL
9.8 Mar 01

An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. Rated critical severity (CVSS 9.8),

CVE-2021-31539 MEDIUM POC
5.5 Apr 23

Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.pass

CVE-2024-52052 CRITICAL
9.4 Nov 21

Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom ap

CVE-2024-52055 HIGH
8.2 Nov 21

Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to read any f

CVE-2018-7048 HIGH
7.5 Mar 01

An issue was discovered in Wowza Streaming Engine before 4.7.1. Rated high severity (CVSS 7.5), this vulnerability is re

CVE-2024-52056 MEDIUM
6.9 Nov 21

Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to delete any

CVE-2018-7049 MEDIUM
6.1 Mar 01

An issue was discovered in Wowza Streaming Engine before 4.7.1. Rated medium severity (CVSS 6.1), this vulnerability is

CVE-2024-52054 MEDIUM
5.1 Nov 21

Path Traversal in the Manager component of Wowza Streaming Engine below 4.9.1 allows an administrator user to create an

Share

CVE-2024-52053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy