Reflected XSS in Path Traversal detector in azuracast/azuracast


Reported on

Apr 20th 2023


Azuracast has a feature that block all Path Traversal tentative (good job implementing it). But when azuracast block an attack reflect the path without sanitize the output (PathTraversalDetected.php).

It is possibile to do attack like Reflected XSS or HTML injection.

#Step to reproduce

  1. [1] Prepare the link and send it to the victim (an admin)
  2. [2] If the admin open the link the XSS is fired

Proof of Concept (just navigate the link)


Small note: this attack can be chained to another vulnerability (about an RCE) , in order to gain a One Click Remote code execution (

I hope i was helpful. XSS - Cookie steal HTML INJECTION


This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites and allows attacker to use for further exploitation.

We are processing your report and will contact the azuracast team within 24 hours. 8 months ago
Hakiduck modified the report
8 months ago
We have contacted a member of the azuracast team and are waiting to hear back 7 months ago
Buster Neece validated this vulnerability 7 months ago

Valid issue. Thank you for the report! Fixed in the latest Rolling Release.

Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Buster Neece marked this as fixed in 0.18.2 with commit 550208 7 months ago
Buster Neece has been awarded the fix bounty
This vulnerability will not receive a CVE
Buster Neece published this vulnerability 7 months ago
to join this conversation