Stored XSS in azuracast/azuracast


Reported on

Apr 18th 2023


The Name field in Edit Profile page is vulnerable to Stored XSS.

  1. Navigate to and login
  2. Navigate to my account page
  3. Click edit profile
  4. Change the user name to the below payload
  5. Every page of the application will now display an alert pop up on load

Proof of Concept

<img src=1 href=1 onerror="javascript:alert(document.domain)"></img> 



An attacker can inject JavaScript on a victims browser that could lead to stealing cookies in addition to installing JavaScript malware, keyloggers and performing remote actions.

We are processing your report and will contact the azuracast team within 24 hours. a month ago
We have contacted a member of the azuracast team and are waiting to hear back a month ago
Buster Neece modified the Severity from Medium (5.4) to Medium (5.4) a month ago
Buster Neece modified the Severity from Medium (5.4) to Low (3.8) a month ago
Buster Neece modified the Severity from Low (3.8) to Low (3.5) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Buster Neece validated this vulnerability a month ago

This is a valid report, and we have published changes to our code to fix the relevant issue in question as of our latest "Rolling Release" version.

Notes on the scope of the possible attack:

  • Users cannot create their own accounts in the system; an account must be created by an existing administrator and the credentials given to a user. This vulnerability is only exploitable by users once they have an account in the system.
  • This vulnerability DOES affect any page that uses the system's full ("main") theme; i.e. any administrative pages. However, it only displays your username in the header navigation if it's your username, meaning a vast majority of the time, the only data you're able to exfiltrate is your own.
  • This vulnerability DOES NOT apply to the "Administer Users" page where users with global administrative permissions can manage user accounts; usernames and e-mail addresses are properly escaped on this page, so simply visiting this page would not facilitate exfiltration of data, nor would visiting any other page while logged in on the super administrator account.
  • This vulnerability COULD be used to exfiltrate super administrator data if the super administrator used the "Log In As" feature on the "Administer Users" page to act as that user; it would then show that user's username in the header navigation, at which point data could possibly be exfiltrated from the super admin's session.

I have updated the CVSS scoring to reflect the limitations in exploiting this vulnerability. Limited as it is in scope and applicability, it is indeed still a valid issue, and could especially pose a problem in multi-tenant installations used by resellers, as the likelihood of using the "Log In As" functionality is higher in this case.

m0ck3d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Buster Neece marked this as fixed in 0.18 with commit 24276c a month ago
Buster Neece has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 20th 2023
Buster Neece published this vulnerability a month ago
User.php#L1-L312 has been validated
a month ago


Thank you so much !

a month ago


Just validated the fix, XSS no longer possible in Username field.

to join this conversation