Lucene search
K

3 matches found

OSV
OSV
added 2026/05/04 9:19 p.m.6 views

GHSA-QFF7-Q5FM-8P76 AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration

Summary The GET /api/station/stationid/file/id/play endpoint, handled by PlayAction, is missing the Middleware\Permissions check that protects all sibling routes in the same /file/id route group. Any authenticated user can download media files from any station, regardless of whether they have...

6.5CVSS5.8AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/04 9:19 p.m.11 views

AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration

Summary The GET /api/station/stationid/file/id/play endpoint, handled by PlayAction, is missing the Middleware\Permissions check that protects all sibling routes in the same /file/id route group. Any authenticated user can download media files from any station, regardless of whether they have...

5.8AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/09 7:55 p.m.2 views

GHSA-93FX-5QGC-WR38 AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs

Summary AzuraCast's ConfigWriter::cleanUpString method fails to sanitize Liquidsoap string interpolation sequences ..., allowing authenticated users with StationPermissions::Media or StationPermissions::Profile permissions to inject arbitrary Liquidsoap code into the generated configuration file...

8.7CVSS6AI score
Exploits0References5
Rows per page
Query Builder