CVE-2016-20034

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/40133	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*

History

19 Mar 2026, 14:16

Type	Values Removed	Values Added
References	~~() http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php -~~	() http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php - Exploit, Third Party Advisory
References	~~() https://www.exploit-db.com/exploits/40133 -~~	() https://www.exploit-db.com/exploits/40133 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit -~~	() https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit - Third Party Advisory
Summary		(es) Wowza Streaming Engine 4.5.0 contiene una vulnerabilidad de escalada de privilegios que permite a usuarios autenticados de solo lectura elevar privilegios a administrador manipulando parámetros POST. Los atacantes pueden enviar solicitudes POST al endpoint de edición de usuario con accessLevel establecido en 'admin' y los parámetros advUser establecidos en 'true' y 'on' para obtener acceso administrativo.
First Time		Wowza Wowza streaming Engine
CPE		cpe:2.3:a:wowza:streaming_engine:4.5.0:::::::*

16 Mar 2026, 14:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:17

Updated : 2026-03-19 14:16

NVD link : CVE-2016-20034

Mitre link : CVE-2016-20034

CVE.ORG link : CVE-2016-20034

JSON object : View

Products Affected

wowza

streaming_engine

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

8.8 /10