PT-2020-11251 · Wowza · Wowza Streaming Engine
Drunkenshells
·
Published
2020-01-29
·
Updated
2022-10-14
·
CVE-2019-7655
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Wowza Streaming Engine versions 4.8.0 and earlier
Wowza Streaming Engine versions 4.7.7 and 4.7.8
Description
The issue arises from multiple authenticated XSS vulnerabilities. These can be exploited via the
customList%5B0%5D.value field in "enginemanager/server/serversetup/edit adv.htm" of the Server Setup configuration or the host field in "enginemanager/j spring security check" of the login form.Recommendations
For Wowza Streaming Engine versions 4.8.0 and earlier, update to version 4.8.5 or later to resolve the issue.
For Wowza Streaming Engine versions 4.7.7 and 4.7.8, update to version 4.8.5 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
customList%5B0%5D.value field in the Server Setup configuration and the host field in the login form to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wowza Streaming Engine