Reflected XSS in Path Traversal detector in azuracast/azuracast
Apr 20th 2023
Azuracast has a feature that block all Path Traversal tentative (good job implementing it). But when azuracast block an attack reflect the path without sanitize the output (PathTraversalDetected.php).
It is possibile to do attack like Reflected XSS or HTML injection.
#Step to reproduce
-  Prepare the link and send it to the victim (an admin)
-  If the admin open the link the XSS is fired
Proof of Concept (just navigate the link)
Small note: this attack can be chained to another vulnerability (about an RCE) , in order to gain a One Click Remote code execution (https://huntr.dev/bounties/a4afda09-5f76-4c55-b3c0-9431e9af653b).
I hope i was helpful.
This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites and allows attacker to use for further exploitation.