CVE-2016-20035 in Streaming Engine
Summary
by MITRE • 03/16/2026
Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2016-20035 resides within Wowza Streaming Engine version 4.5.0, a widely used media streaming platform that processes and delivers live and on-demand video content. This cross-site request forgery flaw represents a critical security weakness that directly undermines the integrity of the application's administrative controls and user management systems. The vulnerability specifically affects the user edit endpoint functionality, which serves as the administrative interface for managing user accounts and permissions within the streaming engine environment.
This csrf vulnerability stems from the absence of proper request validation mechanisms and anti-csrf tokens within the affected application's administrative interfaces. When administrators access the Wowza Streaming Engine administration panel, the application fails to implement adequate protection against malicious cross-site requests that could be triggered through crafted web pages. The flaw allows attackers to exploit the trust relationship between the web application and authenticated users, enabling unauthorized administrative actions without proper authentication. The vulnerability manifests when legitimate administrative users visit malicious websites that contain embedded javascript or html forms designed to automatically submit POST requests to the vulnerable user management endpoint.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it provides attackers with complete control over the streaming engine's administrative functions. Successful exploitation enables attackers to create new administrative accounts with arbitrary credentials, effectively granting them full access to the entire streaming platform. This compromise can lead to unauthorized content distribution, modification of streaming parameters, complete system takeover, and potential data exfiltration from the media server infrastructure. The vulnerability affects organizations relying on Wowza Streaming Engine for critical media delivery services, potentially exposing them to content theft, service disruption, and unauthorized access to sensitive streaming data. The attack vector is particularly concerning because it requires minimal technical expertise from threat actors and can be executed through simple web-based techniques.
Organizations affected by this vulnerability should implement immediate mitigations including the application of the vendor-provided security patches and updates. The recommended approach involves deploying the official fixes released by Wowza to address the csrf implementation gaps and strengthen authentication mechanisms. Network administrators should also consider implementing additional security controls such as web application firewalls that can detect and block malicious csrf attempts, along with regular monitoring of administrative access logs for suspicious activities. The vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery weaknesses in web applications, and represents a technique commonly categorized under the ATT&CK framework's privilege escalation and persistence tactics. Security teams should also enforce strict access controls and implement multi-factor authentication for administrative accounts to minimize the impact of potential credential compromise. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other web applications within the organization's infrastructure, as csrf flaws remain prevalent in many legacy web platforms and streaming solutions.