Reflected XSS Vulnerability in Revive Adserver by Revive Adserver
CVE-2021-22889

6.1MEDIUM

Key Information:

Vendor

Revive-adserver

Status
Https://github.com/revive-adserver/revive-adserver
Vendor
CVE Published:
25 March 2021

What is CVE-2021-22889?

Revive Adserver versions prior to 5.2.0 are susceptible to reflected XSS attacks. This vulnerability arises from inadequate escaping of single quotes in the 'statsBreakdown' parameter of stats.php, allowing an attacker to craft malicious URLs. Users with access to the Revive Adserver interface may be targeted, potentially allowing attackers to execute arbitrary JavaScript code in the context of the user's session. To mitigate this risk, it is crucial to update to the latest version and follow best practices for securing web applications.

Affected Version(s)

https://github.com/revive-adserver/revive-adserver Fixed in v5.2.0

References

https://www.revive-adserver.com/security/revive-sa-2021-003/
x_refsource_MISC
https://hackerone.com/reports/1097217
x_refsource_MISC
https://github.com/revive-adserver/revive-adserver/commit...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.