Cross-site Scripting (XSS) - Reflected in azuracast/azuracast

Valid

Reported on

Aug 27th 2021

✍️ Description

The Application is Vulnerable to reflected HTML Injection

🕵️‍♂️ Proof of Concept

Open the following page in the browser as admin. The page is vulnerable to HTML Injection.

https://demo.azuracast.com/public/azuratest_radio/embed-requests?theme=1%22%3E%3Cbody%3E%3Ciframe%20src=%27https://www.usa.gov/%27%20height=%27500%27%20width=%27800%27%3E%3C/iframe%3E%3C/body%3E%3C/html%3E%3C%22

An Iframe is injected into the page using the HTML Injection vulnerability.

💥 Impact

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

Occurrences

We have contacted a member of the azuracast team and are waiting to hear back 2 years ago
Buster Neece validated this vulnerability 2 years ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
Buster Neece marked this as fixed with commit 1182a8 2 years ago
Buster Neece has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation