PT-2021-20931 · Wowza · Wowza Streaming Engine

Massimiliano Brolli

Published

2021-10-05

Updated

2021-11-06

CVE-2021-35491

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Wowza Streaming Engine versions 4.8.11+5 through 4.8.13

Description: A Cross-Site Request Forgery (CSRF) issue allows a remote attacker to delete a user account via the "/enginemanager/server/user/delete.htm" API endpoint using the userName parameter. The application does not implement a CSRF token for the GET request.

Recommendations: For versions 4.8.11+5 through 4.8.13, update to Wowza Streaming Engine release 4.8.14 to resolve the issue. As a temporary workaround, consider restricting access to the "/enginemanager/server/user/delete.htm" API endpoint to minimize the risk of exploitation. Avoid using the userName parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2021-35491

Affected Products

Wowza Streaming Engine

PT-2021-20931 · Wowza · Wowza Streaming Engine

CVE-2021-35491

Weakness Enumeration

Related Identifiers

Affected Products

References · 7