Session ID Generation Vulnerability in Revive Adserver by Revive
CVE-2021-22948

7.1HIGH

Key Information:

Vendor: Revive-adserver
Status: Https://github.com/revive-adserver/revive-adserver
Vendor: CVE Published:; 23 September 2021

🔔 Create Revive-adserver Vulnerability Alert

What is CVE-2021-22948?

A vulnerability exists in Revive Adserver due to the insecure generation of session IDs utilizing the uniqid() PHP function in versions prior to 5.3.0. This flaw may enable attackers to potentially brute-force session IDs, leading to unauthorized access to user accounts. It is crucial for users of affected versions to implement appropriate security measures to safeguard against potential session hijacking.

Affected Version(s)

https://github.com/revive-adserver/revive-adserver Fixed version v5.3.0

References

https://hackerone.com/reports/1187820

x_refsource_MISC

https://www.revive-adserver.com/security/revive-sa-2021-005/

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2021
Vulnerability Reserved
Jan 6, 2021

JSON