PHP Object Injection Vulnerability in Revive Adserver by Revive Adserver
CVE-2019-5434

9.8CRITICAL

Key Information:

Vendor: Revive-sas
Status: Revive Adserver
Vendor: CVE Published:; 6 May 2019

What is CVE-2019-5434?

The vulnerability in Revive Adserver allows attackers to craft malicious payloads to exploit the XML-RPC invocation script via the 'what' parameter. This leads to the dangerous unserialize() function call, which may result in PHP object injection. Potential exploits could enable attackers to deliver malware through compromised instances of Revive Adserver, affecting third-party websites. This security flaw was remedied in version 4.2.0, highlighting the importance of keeping software updated.

Affected Version(s)

Revive Adserver Fixed version v4.2.0

References

https://hackerone.com/reports/512076

x_refsource_MISC

https://hackerone.com/reports/542670

x_refsource_MISC

https://www.revive-adserver.com/security/revive-sa-2019-001/

x_refsource_MISC

EPSS Score

57% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2019
Vulnerability Reserved
Jan 4, 2019

CVE-2019-5434 Data

JSON

Revive-sas

What is CVE-2019-5434?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline