SB20260424112 - Multiple vulnerabilities in AzuraCast

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Missing Authorization (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the GET /api/station/{station_id}/file/{id}/play endpoint handled by PlayAction when handling media file download requests. A remote user can send a crafted request for a media file from another station to disclose sensitive information.

In multi-tenant deployments, the issue can expose media files across stations, and sequential media IDs make enumeration trivial.

2) Code Injection (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the remote relay password field in ConfigWriter.php when processing a crafted source_password value during Liquidsoap configuration generation. A remote user can send a specially crafted API request with nested interpolation syntax to execute arbitrary code.

The issue can also disclose the internal API key and requires the RemoteRelays station permission. Exploitation is triggered when the station configuration is regenerated and loaded by Liquidsoap.

Remediation

Install update from vendor's website.

References

• https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-qff7-q5fm-8p76
• https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-q4ph-8x8g-95f8