Vulnerability Description
A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wowza | Streaming Engine | < 4.8.14 |
Related Weaknesses (CWE)
References
- https://n4nj0.github.io/advisories/wowza-streaming-engine-i/Third Party Advisory
- https://www.gruppotim.it/redteamExploitThird Party Advisory
- https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notesRelease NotesVendor Advisory
- https://n4nj0.github.io/advisories/wowza-streaming-engine-i/Third Party Advisory
- https://www.gruppotim.it/redteamExploitThird Party Advisory
- https://www.wowza.com/docs/wowza-streaming-engine-4-8-14-release-notesRelease NotesVendor Advisory
FAQ
What is CVE-2021-35491?
CVE-2021-35491 is a vulnerability with a CVSS score of 8.1 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName pa...
How severe is CVE-2021-35491?
CVE-2021-35491 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35491?
Check the references section above for vendor advisories and patch information. Affected products include: Wowza Streaming Engine.