Broken Authentication in azuracast/azuracast

Valid

Reported on

Jun 18th 2023


Description

I tested the demo site you provided. I see that there is an Broken Authentication vulnerability in Administration: CPU stats API. The Administration: CPU stats API does not validated user permissions.

Proof of Concept

link video PoC

https://screenpal.com/watch/c01F1bVBmX1

Step
1. In the my dashboard I see API Documentation.... and click on them

2. Click on Administration: CPU stats API and get 200 succefully response without any login/Authentication/API-key

Impact

Attackers take advantage of the Broken authentication and got sensitive information of Administration: CPU stats.

References

We are processing your report and will contact the azuracast team within 24 hours. 3 months ago
We have contacted a member of the azuracast team and are waiting to hear back 3 months ago
Buster Neece validated this vulnerability 2 months ago

Valid issue, but not all that severe, honestly. Just shows CPU, RAM, etc. stats to users. Mostly informative for server operators. Has been fixed in latest Rolling Release version.

deepakkuma24 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Buster Neece marked this as fixed in 0.18.6 with commit 140477 2 months ago
Buster Neece has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Aug 10th 2023
Buster Neece published this vulnerability a month ago
to join this conversation