CVE-2016-20034 | THREATINT

Description

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Cross-Site Request Forgery (CSRF)

Product status

4.5.0

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/40133 (ExploitDB-40133) exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php (Vulnerability Advisory) vendor-advisory

www.vulncheck.com/...gine-privilege-escalation-via-user-edit (VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit) third-party-advisory

cve.org (CVE-2016-20034)

nvd.nist.gov (CVE-2016-20034)

Download JSON