CVE-2021-41764
8.8 HIGHA cross-site request forgery (CSRF) vulnerability exists in Streama up to and including v1.10.3
Published: 2021-09-29 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-352
Affected products
| Vendor | Product |
|---|---|
| streama_project | streama |
Description
A cross-site request forgery (CSRF) vulnerability exists in Streama up to and including v1.10.3. The application does not have CSRF checks in place when performing actions such as uploading local files. As a result, attackers could make a logged-in administrator upload arbitrary local files via a CSRF attack and send them to the attacker.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41764
- [Exploit reference]https://gist.github.com/omriinbar/3c741d309e5d0ede29dc7ecdad4eba3f
- [Other]https://gist.github.com/omriinbar/8277193731d0edf20ef71299f304ab93
- [Other]https://github.com/streamaserver/streama
- [Exploit reference]https://gist.github.com/omriinbar/3c741d309e5d0ede29dc7ecdad4eba3f
- [Other]https://gist.github.com/omriinbar/8277193731d0edf20ef71299f304ab93
- [Other]https://github.com/streamaserver/streama
Related CVEs
Same CWE
- CVE-2026-49043 — Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions (4.7 MEDIUM)
- CVE-2026-48518 — MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances (4.3 MEDIUM)
- CVE-2016-20083 — WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized action... (5.3 MEDIUM)
- CVE-2016-20074 — WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorize... (4.3 MEDIUM)
- CVE-2016-20067 — WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on beh... (4.3 MEDIUM)