![]() A regular local user is able to read usernames and passwords. Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration. Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. This issue was resolved in Wowza Streaming Engine release 4.8.14. The application does not implement a CSRF token for the GET request. (Manual intervention is required to free filesystem resources and return the application to an operational state.)Ī Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. ![]() This is due to the insufficient management of available filesystem resources. Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |