Persistent XSS Vulnerability in Revive Adserver
CVE-2021-22871

4.8MEDIUM

Key Information:

Vendor

Revive-adserver

Status
Https://github.com/revive-adserver/revive-adserver
Vendor
CVE Published:
26 January 2021

What is CVE-2021-22871?

Revive Adserver prior to version 5.1.0 is vulnerable to a persistent cross-site scripting (XSS) flaw. This vulnerability allows authenticated users with manager privileges to inject potentially harmful scripts into the URL website property. These scripts are rendered unsanitized within the affiliate-preview.php tag generation screen, enabling attackers to execute arbitrary scripts in the context of users who visit the affected page, which could lead to data theft and session hijacking.

Affected Version(s)

https://github.com/revive-adserver/revive-adserver Fixed in 5.1.0

References

https://www.revive-adserver.com/security/revive-sa-2021-001/
x_refsource_MISC
https://hackerone.com/reports/819362
x_refsource_MISC
https://github.com/revive-adserver/revive-adserver/commit...
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.