CVE-2016-20034
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Wowza Media Systems, LLC. | Wowza Streaming Engine | 4.5.0 | affected |
Weaknesses
- CWE-352: Cross-Site Request Forgery (CSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/40133
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
- https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.