Cross-Site Request Forgery in Revive Adserver Affects User Password Recovery
CVE-2016-9127

8.8HIGH

Key Information:

Vendor

Revive-adserver

Status
Revive Adserver All Versions Before 3.2.3
Vendor
CVE Published:
28 March 2017

What is CVE-2016-9127?

Revive Adserver versions prior to 3.2.3 are susceptible to a Cross-Site Request Forgery vulnerability that affects the password recovery feature. Exploiting this vulnerability could allow attackers to trigger mass password recovery emails for registered users, exacerbated by a flaw in the system that sends recovery emails to all users simultaneously. This vulnerability has been addressed in newer versions of the software.

Affected Version(s)

Revive Adserver All before 3.2.3 Revive Adserver All versions before 3.2.3

References

https://github.com/revive-adserver/revive-adserver/commit...
x_refsource_MISC
https://hackerone.com/reports/99452
x_refsource_MISC
https://www.revive-adserver.com/security/revive-sa-2016-001/
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.