Duplicate
This advisory duplicates another.
Advisories for Composer/Azuracast/Azuracast package
2025
AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE
An API endpoint that is intended for internal use by the SFTP software sftpgo was mistakenly exposed to the public-facing HTTP API for AzuraCast installations. This would allow a user with specific internal knowledge of a station's operations to craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. With a request like: curl -s -X POST "http://localhost/api/internal/sftp-event" …
2023
Improper Restriction of Excessive Authentication Attempts
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.