CVE-2016-20036 | THREATINT

Description

Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

4.5.0

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/40135 (ExploitDB-40135) exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php (Vulnerability Advisory) vendor-advisory

www.vulncheck.com/...le-cross-site-scripting-vulnerabilities (VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities) third-party-advisory

cve.org (CVE-2016-20036)

nvd.nist.gov (CVE-2016-20036)

Download JSON