CVE-2016-20034

| EUVD-2016-10823 HIGH
2026-03-15 VulnCheck
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2016-10823
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 8.8

Tags

Privilege Escalation CSRF Wowza Streaming Engine

Description

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.

Analysis

A privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 allows authenticated read-only users to elevate their privileges to administrator level by manipulating POST parameters (accessLevel='admin', advUser='true'/'on') sent to the user edit endpoint. A public exploit is available on exploit-db, though the vulnerability has not been added to CISA's KEV catalog, suggesting limited real-world exploitation despite the high CVSS score of 8.8.

Technical Context

The vulnerability affects Wowza Streaming Engine, a media server software for streaming video and audio content. According to the CPE identifier (cpe:2.3:a:wowza_media_systems,_llc.:wowza_streaming_engine:*:*:*:*:*:*:*:*), multiple versions may be affected beyond just 4.5.0. The root cause is CWE-352 (Cross-Site Request Forgery), indicating the application fails to properly validate that requests to modify user privileges originate from legitimate sources, allowing attackers to forge requests that elevate privileges without proper authorization checks.

Affected Products

Wowza Streaming Engine 4.5.0 is confirmed affected per ENISA EUVD-2016-10823. The CPE string uses wildcards (*), suggesting other versions may also be vulnerable. The vendor is Wowza Media Systems, LLC. Users should verify with the vendor advisory at http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php for a complete list of affected versions.

Remediation

Upgrade Wowza Streaming Engine to a patched version newer than 4.5.0 (specific patch version not provided in references). As an immediate workaround, restrict access to the user management interface to trusted administrators only, implement additional authentication layers, or use network segmentation to limit access. Monitor user privilege changes in logs. Consult the vendor advisory and VulnCheck advisory (https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit) for detailed remediation guidance.

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +44
POC: +20

Share

CVE-2016-20034 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy