PT-2020-11250 · Wowza · Wowza Streaming Engine
Published
2020-01-29
·
Updated
2022-10-14
·
CVE-2019-7654
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Wowza Streaming Engine versions 4.8.0 and earlier
Wowza Streaming Engine versions 4.7.7 through 4.7.8
Description
The issue allows an administrator to be tricked into making unwanted changes, such as adding another admin user, by following a link. This can be done via the
enginemanager/server/user/edit.htm endpoint in the Server->Users component.Recommendations
For Wowza Streaming Engine versions 4.8.0 and earlier, update to version 4.8.5 or later to resolve the issue.
For Wowza Streaming Engine versions 4.7.7 through 4.7.8, update to version 4.8.5 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
enginemanager/server/user/edit.htm endpoint in the Server->Users component to minimize the risk of exploitation.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wowza Streaming Engine