CVE-2016-20035

MEDIUM

Wowza Streaming Engine 4.5.0 CSRF via user edit endpoint

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20035. PoCs published by LiquidWorm.

AI-analyzed exploit summary This HTML file demonstrates a CSRF vulnerability in Wowza Streaming Engine 4.5.0, allowing an attacker to create an admin user via a crafted POST request if a logged-in admin visits the malicious page.

Description

Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · htmlwebappsmultiple

https://www.exploit-db.com/exploits/40134

View Code ZIP pw:eip

This HTML file demonstrates a CSRF vulnerability in Wowza Streaming Engine 4.5.0, allowing an attacker to create an admin user via a crafted POST request if a logged-in admin visits the malicious page.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Wowza Streaming Engine 4.5.0 (build 18676)

Auth required

Prerequisites: Admin user must be logged in and visit the malicious page

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-40134

https://www.exploit-db.com/exploits/40134

Vendor Advisory vendor-advisory

Vulnerability Advisory

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php

Third Party Advisory third-party-advisory

VulnCheck Advisory: Wowza Streaming Engine 4.5.0 CSRF via user edit endpoint

https://www.vulncheck.com/advisories/wowza-streaming-engine-csrf-via-user-edit-endpoint

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 18.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (2)

wowza/streaming_engine 4.5.0

Wowza Media Systems, LLC./Wowza Streaming Engine 4.5.0

Published Mar 16, 2026

Tracked Since Mar 16, 2026