CVE-2016-20034

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/40133	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-16 14:17

Updated : 2026-03-19 14:16

NVD link : CVE-2016-20034

Mitre link : CVE-2016-20034

CVE.ORG link : CVE-2016-20034

JSON object : View

Products Affected

wowza

streaming_engine

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2016-20034", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-16T14:17:50.507", "references": [{"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/40133", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/wowza-streaming-engine-privilege-escalation-via-user-edit", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access."}, {"lang": "es", "value": "Wowza Streaming Engine 4.5.0 contiene una vulnerabilidad de escalada de privilegios que permite a usuarios autenticados de solo lectura elevar privilegios a administrador manipulando par\u00e1metros POST. Los atacantes pueden enviar solicitudes POST al endpoint de edici\u00f3n de usuario con accessLevel establecido en 'admin' y los par\u00e1metros advUser establecidos en 'true' y 'on' para obtener acceso administrativo."}], "lastModified": "2026-03-19T14:16:48.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDC6B630-F0E9-4F80-8EF2-112FAB0A46C2"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}