Skip to main content

Wowza Streaming Engine EUVD-2016-10825

| CVE-2016-20035 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-15 VulnCheck
CSRF Wowza Streaming Engine
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 20:00 euvd
EUVD-2016-10825
Analysis Generated
Mar 15, 2026 - 20:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
MEDIUM 5.3

DescriptionCVE.org

Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.

AnalysisAI

Wowza Streaming Engine version 4.5.0 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions without user interaction. An attacker can craft a malicious webpage that, when visited by a logged-in administrator, automatically submits POST requests to create new administrative accounts with attacker-controlled credentials, effectively granting the attacker full administrative access to the streaming infrastructure. This vulnerability carries a CVSS score of 5.3 (medium severity) but represents significant real-world risk due to the simplicity of exploitation and the high-impact outcome of account creation.

Technical ContextAI

Wowza Streaming Engine is a commercial media server platform that handles video streaming, transcoding, and content delivery management. The vulnerability exploits CWE-352 (Cross-Site Request Forgery), which occurs when the application fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens, SameSite cookie attributes, or origin/referrer validation on state-changing operations. The affected endpoint in question is the user administration endpoint (likely a REST or form-based API) that processes POST requests to create user accounts. Without CSRF tokens or proper request origin validation, an attacker's cross-origin POST request will be executed in the security context of an authenticated administrator's browser session. The vulnerability affects Wowza Streaming Engine 4.5.0 specifically, and potentially other versions in the 4.x branch depending on patch status.

RemediationAI

Immediately upgrade Wowza Streaming Engine to the patched version specified in the official Wowza security advisory (consult https://www.wowza.com/security for the exact target version). If immediate patching is not feasible, implement compensating controls: restrict administrative console access to trusted IP address ranges using firewall or reverse proxy rules, enforce HTTPS-only connections with HSTS headers to reduce cross-origin attack surface, implement SameSite=Strict cookie policies if supported by the version, and instruct administrators to avoid visiting untrusted websites while maintaining active sessions to the Wowza console. Monitor administrative account creation logs for unauthorized accounts and consider implementing additional multi-factor authentication if available in your Wowza version. Test remediation in a non-production environment before deploying to production infrastructure.

Share

EUVD-2016-10825 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy