CVE-2016-20036

MEDIUM

Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20036. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates multiple reflected XSS vulnerabilities in Wowza Streaming Engine 4.5.0 by injecting JavaScript payloads into various parameters across multiple endpoints. The PoC includes both GET and POST requests with crafted inputs that trigger arbitrary script execution in the context of the affected site.

Description

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsmultiple
https://www.exploit-db.com/exploits/40135

The exploit demonstrates multiple reflected XSS vulnerabilities in Wowza Streaming Engine 4.5.0 by injecting JavaScript payloads into various parameters across multiple endpoints. The PoC includes both GET and POST requests with crafted inputs that trigger arbitrary script execution in the context of the affected site.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Wowza Streaming Engine 4.5.0 (build 18676)
No auth needed
Prerequisites: Access to the Wowza Streaming Engine management interface
devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-40135
https://www.exploit-db.com/exploits/40135
Vendor Advisory vendor-advisory
Vulnerability Advisory
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
Third Party Advisory third-party-advisory
VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
https://www.vulncheck.com/advisories/wowza-streaming-engine-multiple-cross-site-scripting-vulnerabilities

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 14.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
wowza/streaming_engine 4.5.0
Wowza Media Systems, LLC./Wowza Streaming Engine 4.5.0
Published Mar 16, 2026
Tracked Since Mar 16, 2026