======================================================================== Revive Adserver Security Advisory REVIVE-SA-2020-001 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2020-001 ------------------------------------------------------------------------ CVE-IDs: t.b.a. Date: 2020-01-21 Risk Level: Low Applications affected: Revive Adserver Versions affected: <= 5.0.3 Versions not affected: >= 5.0.4 Website: https://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability - Reflected XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] CVE-ID: t.b.a. CVSS Base Score: 4.3 CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Impact Subscore: 1.4 CVSS Exploitability Subscore: 2.8 ======================================================================== Description ----------- A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. Details ------- The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim. References ---------- https://hackerone.com/reports/775693 https://github.com/revive-adserver/revive-adserver/commit/327aaf10 https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Solution ======================================================================== We strongly advise people to upgrade to the most recent 5.0.4 version of Revive Adserver. ======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/