CVE-2016-20035

Name of the Vulnerable Software and Affected Versions Wowza Streaming Engine version 4.5.0

Description The software contains a cross-site request forgery issue that allows attackers to perform administrative actions by creating malicious web pages. Attackers can deceive logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new administrator accounts with arbitrary credentials. The vulnerable endpoint is /user edit. The credentials used for the new admin accounts can be set arbitrarily by the attacker.

Recommendations Apply a fix or update to a newer version that addresses this cross-site request forgery issue. As a temporary workaround, consider restricting access to the /user edit endpoint to authorized IP addresses only.