CVE-2023-2191

Name of the Vulnerable Software and Affected Versions Azuracast versions prior to 0.18.0

Description The issue is related to stored Cross-site Scripting (XSS) in the AzuraCast GitHub repository. A user with an existing AzuraCast account could update their display name to inject malicious JavaScript into the site's header menu. This menu is typically only visible to the logged-in user, but an administrator using the Log In As feature could potentially be affected, allowing the JavaScript injection to exfiltrate certain data. The vulnerability is primarily a concern for multi-tenant installations, such as resellers, as anonymous public members cannot exploit it.

Recommendations For versions prior to 0.18.0, update to version 0.18.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Log In As feature to minimize the risk of exploitation. Additionally, monitor user account updates and display name changes to detect potential malicious activity.