Reflected XSS Vulnerability in Revive Adserver by Revive
CVE-2016-9128

5.4MEDIUM

Key Information:

Vendor

Revive-adserver

Status
Revive Adserver All Versions Before 3.2.3
Vendor
CVE Published:
28 March 2017

What is CVE-2016-9128?

Revive Adserver prior to version 3.2.3 is susceptible to reflected Cross-Site Scripting (XSS) attacks through its affiliate-preview.php script located in the admin directory. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed by an authenticated user, could steal their session ID, potentially allowing unauthorized access to their account. This issue highlights the importance of implementing stringent input validation and security measures to safeguard user sessions against such attacks.

Affected Version(s)

Revive Adserver All before 3.2.3 Revive Adserver All versions before 3.2.3

References

https://hackerone.com/reports/99004
x_refsource_MISC
https://github.com/revive-adserver/revive-adserver/commit...
x_refsource_MISC
https://github.com/revive-adserver/revive-adserver/commit...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.