CVE-2016-20036

MEDIUM

Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities

Title source: cna

Description

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsmultiple

https://www.exploit-db.com/exploits/40135

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-40135

https://www.exploit-db.com/exploits/40135

Vendor Advisory vendor-advisory

Vulnerability Advisory

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php

Third Party Advisory third-party-advisory

VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities

https://www.vulncheck.com/advisories/wowza-streaming-engine-multiple-cross-site-scripting-vulnerabilities

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 13.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

wowza/streaming_engine 4.5.0

Wowza Media Systems, LLC./Wowza Streaming Engine 4.5.0

Published Mar 16, 2026

Tracked Since Mar 16, 2026