CVE-2023-2191 in azuracast
Summary
by MITRE • 04/20/2023
Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/12/2025
The vulnerability identified as CVE-2023-2191 represents a stored cross-site scripting flaw within the AzuraCast streaming media management platform. This issue affects versions prior to 018.0 and resides in the GitHub repository azuracast/azuracast, which serves as a comprehensive open-source solution for managing radio stations and streaming services. The vulnerability stems from insufficient input validation and output sanitization mechanisms within the application's web interface, creating a persistent security weakness that allows malicious actors to inject malicious scripts into the application's database.
The technical implementation of this stored XSS vulnerability occurs when user-supplied data is not properly sanitized before being stored and subsequently rendered in web pages. Attackers can exploit this weakness by submitting malicious payloads through various input fields within the AzuraCast interface, including but not limited to station names, stream titles, or user-generated content sections. Once stored in the database, these malicious scripts execute automatically whenever other users access the affected pages, making this a particularly dangerous vulnerability as it can affect multiple users without requiring them to interact with specific malicious links. The flaw directly maps to CWE-79 which defines cross-site scripting as the failure to properly encode output, and aligns with ATT&CK technique T1190 which describes the use of client-side exploits to gain unauthorized access.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it provides attackers with the capability to establish persistent access to affected systems through session hijacking, credential theft, and potential privilege escalation. An attacker who successfully exploits this vulnerability could execute arbitrary JavaScript code in the context of other users' browsers, potentially accessing administrative functions, stealing session cookies, or redirecting users to malicious websites. The stored nature of this vulnerability means that the malicious payload remains active even after the initial injection, creating a long-term threat that persists until the vulnerability is patched and the malicious content is removed from the database. This type of vulnerability is particularly concerning in media streaming environments where administrators may have elevated privileges and sensitive configuration data.
Mitigation strategies for CVE-2023-2191 should prioritize immediate patching of affected AzuraCast installations to version 0.18 or later, which contains the necessary security fixes. Organizations should also implement comprehensive input validation and output encoding mechanisms throughout the application, particularly for user-generated content fields. Regular security audits and penetration testing of the streaming platform should be conducted to identify additional potential vulnerabilities. Network segmentation and the implementation of web application firewalls can provide additional layers of protection against exploitation attempts. Security awareness training for administrators should emphasize the importance of keeping software updated and monitoring for suspicious activity in user-generated content sections. The vulnerability demonstrates the critical importance of maintaining up-to-date security practices in open-source applications, particularly those handling sensitive operational data for media streaming services.