8.7
CVE-2017-20217 - Serviio PRO 1.8 REST API Information Disclosure
Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieveโฆ
5.1
CVE-2016-20036 - Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appโฆ
6.9
CVE-2016-20035 - Wowza Streaming Engine 4.5.0 CSRF via user edit endpoint
Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint โฆ
8.7
CVE-2016-20034 - Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit
Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parametโฆ
8.5
CVE-2016-20033 - Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manโฆ
8.8
CVE-2015-20121 - RealtyScript 4.0.2 SQL Injection via u_id and agent Parameters
Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers canโฆ
5.1
CVE-2015-20119 - RealtyScript 4.0.2 Stored Cross-Site Scripting via text Parameter in pages.php
Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with crโฆ
5.1
CVE-2015-20118 - RealtyScript 4.0.2 Stored Cross-Site Scripting via location_name Parameter
Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the location_name parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the location_name field to execute arbitrary codeโฆ
6.9
CVE-2015-20117 - RealtyScript 4.0.2 Cross-Site Request Forgery Unauthorized User Creation
Next Click Ventures RealtyScript 4.0.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create unauthorized user accounts and administrative users by crafting malicious forms. Attackers can submit hidden form data to /admin/addusers.php and /admin/editadmโฆ
5.1
CVE-2015-20116 - RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename
Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browserโฆ