← Advisories

Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities

Medium
Advisory ID
ZSL-2016-5343
Release Date
19 July 2016
Vendor
Wowza Media Systems, LLC. - https://www.wowza.com
Affected Version
4.5.0 (build 18676)
CVE
CVE-2016-20036
Tested On
Winstone Servlet Engine v1.0.5, Servlet/2.5 (Winstone/1.0.5)
Summary

Wowza Streaming Engine is robust, customizable, and scalable server software that powers reliable video and audio streaming to any device. Learn the benefits of using Wowza Streaming Engine to deliver high-quality live and on-demand video content to any device.

Description

Wowza Streaming Engine suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
wowza_xss.txtTXT
Disclosure Timeline
03.07.2016Vulnerability discovered.
09.07.2016Contact with the vendor.
18.07.2016No response from the vendor.
19.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40135/
[2]https://packetstormsecurity.com/files/137975
[3]https://cxsecurity.com/issue/WLB-2016070152
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/115114
[5]https://www.cve.org/CVERecord?id=CVE-2016-20036
Changelog
19.07.2016Initial release
22.07.2016Added reference [1], [2] and [3]
26.07.2016Added reference [4]
24.03.2026Added reference [5]