EUVD-2016-10825
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description
Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.
Analysis
Wowza Streaming Engine version 4.5.0 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions without user interaction. An attacker can craft a malicious webpage that, when visited by a logged-in administrator, automatically submits POST requests to create new administrative accounts with attacker-controlled credentials, effectively granting the attacker full administrative access to the streaming infrastructure. This vulnerability carries a CVSS score of 5.3 (medium severity) but represents significant real-world risk due to the simplicity of exploitation and the high-impact outcome of account creation.
Technical Context
Wowza Streaming Engine is a commercial media server platform that handles video streaming, transcoding, and content delivery management. The vulnerability exploits CWE-352 (Cross-Site Request Forgery), which occurs when the application fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens, SameSite cookie attributes, or origin/referrer validation on state-changing operations. The affected endpoint in question is the user administration endpoint (likely a REST or form-based API) that processes POST requests to create user accounts. Without CSRF tokens or proper request origin validation, an attacker's cross-origin POST request will be executed in the security context of an authenticated administrator's browser session. The vulnerability affects Wowza Streaming Engine 4.5.0 specifically, and potentially other versions in the 4.x branch depending on patch status.
Affected Products
Wowza Streaming Engine version 4.5.0 is confirmed affected by this CSRF vulnerability. The vulnerability may also affect other versions in the 4.x release line; organizations should consult the Wowza Security Advisories at https://www.wowza.com/security to determine the full scope of affected versions and the availability of patches. CPE identification for this product would be cpe:2.3:a:wowza:streaming_engine:4.5.0 and potentially adjacent versions. Administrators should verify their specific Wowza Streaming Engine build number against official vendor advisories before assuming protection status.
Remediation
Immediately upgrade Wowza Streaming Engine to the patched version specified in the official Wowza security advisory (consult https://www.wowza.com/security for the exact target version). If immediate patching is not feasible, implement compensating controls: restrict administrative console access to trusted IP address ranges using firewall or reverse proxy rules, enforce HTTPS-only connections with HSTS headers to reduce cross-origin attack surface, implement SameSite=Strict cookie policies if supported by the version, and instruct administrators to avoid visiting untrusted websites while maintaining active sessions to the Wowza console. Monitor administrative account creation logs for unauthorized accounts and consider implementing additional multi-factor authentication if available in your Wowza version. Test remediation in a non-production environment before deploying to production infrastructure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today