Wowza Streaming Engine version 4.5.0 contains multiple reflected cross‑site scripting vulnerabilities in its enginemanager interface. Input supplied through parameters such as appName, vhost, uiAppType, and wowzaCloudDestinationType is not properly sanitized before being returned to the browser, allowing an attacker to inject arbitrary HTML and JavaScript. The flaw aligns with CWE‑79 – Improper Neutralization of Input During Web Page Generation. Based on the description, it is inferred that malicious script execution could lead to session hijacking, credential theft, or user‑interface defacement when a user views a crafted page.

The only affected product identified by the CNA is Wowza Media Systems, LLC’s Wowza Streaming Engine 4.5.0, as specified by the CPE string cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*. No other versions are listed as vulnerable; therefore any installation running exactly version 4.5.0 remains exposed.

The CVSS score of 5.1 places this flaw in the medium‑severity range. The EPSS score of less than 1 % indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface; an attacker can craft a malicious request containing script payloads in the vulnerable parameters, which are then reflected back to the user’s browser. If a user interacts with the crafted URL or form, the injected script executes with the privileges of the user’s session, potentially enabling credential theft or other malicious actions.