Wowza Streaming Engine Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Wowza Streaming Engine version 4.5.0. This vulnerability exists within the enginemanager interface, where user input is not properly sanitized before being displayed. Attackers can exploit this by injecting malicious scripts through various parameters, such as appName, vhost, uiAppType, and wowzaCloudDestinationType, across multiple endpoints. This exploitation allows for the execution of arbitrary HTML and JavaScript in the context of the user's browser session.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's session.

Reproduction

The vulnerability can be reproduced by sending a request to the Wowza Streaming Engine enginemanager interface with injected script tags in the vulnerable parameters. This can be done through various endpoints, such as application monitoring or live edge security playback, where the injected script is executed in the user's browser.