{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2016-20036","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-03-15T18:22:32.983Z","datePublished":"2026-03-15T18:34:23.829Z","dateUpdated":"2026-03-16T14:30:29.820Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-15T18:34:23.829Z"},"datePublic":"2016-07-20T00:00:00.000Z","title":"Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities","descriptions":[{"lang":"en","value":"Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","cweId":"CWE-79","type":"CWE"}]}],"affected":[{"vendor":"Wowza Media Systems, LLC.","product":"Wowza Streaming Engine","versions":[{"version":"4.5.0","status":"affected"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.1,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/40135","name":"ExploitDB-40135","tags":["exploit"]},{"url":"http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php","name":"Vulnerability Advisory","tags":["vendor-advisory"]},{"name":"VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/wowza-streaming-engine-multiple-cross-site-scripting-vulnerabilities"}],"credits":[{"lang":"en","value":"LiquidWorm as Gjoko Krstic of Zero Science Lab","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2016-20036","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2026-03-16T14:18:33.015525Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-16T14:30:29.820Z"}}]}}