Wowza Streaming Engine Cross-Site Request Forgery Vulnerability in User Management

A cross-site request forgery (CSRF) vulnerability has been identified in Wowza Streaming Engine version 4.5.0. This vulnerability allows attackers to perform administrative actions by tricking logged-in administrators into visiting malicious websites. The crafted sites can submit POST requests to the user edit endpoint, enabling the creation of new admin accounts with arbitrary credentials.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access by creating new admin accounts with custom credentials.

Reproduction

To reproduce this vulnerability, a malicious web page must be created that submits a POST request to the user edit endpoint of the Wowza Engine Manager. The request should include parameters to create a new admin account, such as the username, password, access level, and a flag to indicate advanced user privileges. When a logged-in administrator visits the malicious page, the request is sent automatically, and the new admin account is created.