Reflected XSS Vulnerability in Revive Adserver by Revive
CVE-2021-22872

6.1MEDIUM

Key Information:

Vendor

Revive-adserver

Status
Https://github.com/revive-adserver/revive-adserver
Vendor
CVE Published:
26 January 2021

What is CVE-2021-22872?

Revive Adserver prior to version 5.1.0 is susceptible to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php delivery script. This weakness primarily affects older browsers that do not perform automatic URL encoding on parameters, making them vulnerable to injection attacks. Security measures implemented in modern browsers do not mitigate this issue, requiring users of outdated browsers like Internet Explorer 10 to take action to safeguard against potential exploits.

Affected Version(s)

https://github.com/revive-adserver/revive-adserver Fixed in 5.1.0

References

https://www.revive-adserver.com/security/revive-sa-2021-001/
x_refsource_MISC
https://hackerone.com/reports/986365
x_refsource_MISC
https://github.com/revive-adserver/revive-adserver/commit...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.