Security Restriction Bypass in Revive Adserver by Revive Adserver
CVE-2020-8142

6.8MEDIUM

Key Information:

Vendor: Revive-adserver
Status: Https://github.com/revive-adserver/revive-adserver
Vendor: CVE Published:; 3 April 2020

🔔 Create Revive-adserver Vulnerability Alert

What is CVE-2020-8142?

A security restriction bypass vulnerability has been identified in Revive Adserver versions earlier than 5.0.5. This issue allows unauthorized users with access to the admin interface to change the email address or password of the currently logged-in user without entering the correct password. By manipulating the POST request payload, specifically by altering the ‘pwold’ parameter, an attacker can bypass the standard authentication check. This vulnerability emphasizes the importance of securing administrative interfaces and implementing stringent input validation mechanisms to prevent unauthorized data manipulation.

Affected Version(s)

https://github.com/revive-adserver/revive-adserver Fixed in >= 5.0.5

References

https://www.revive-adserver.com/security/revive-sa-2020-002/

x_refsource_MISC

https://hackerone.com/reports/792895

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2020
Vulnerability Reserved
Jan 28, 2020

JSON