[<prev] [next>] [day] [month] [year] [list]
Message-ID: <403d9d6e-b68b-1ef7-8a57-b16d14fc3020@beccati.com>
Date: Tue, 21 Jan 2020 14:24:14 +0100
From: Matteo Beccati via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] [REVIVE-SA-2020-001] Revive Adserver Vulnerability
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-01-21
Risk Level: Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.3
Versions not affected: >= 5.0.4
Website: https://www.revive-adserver.com/
========================================================================
========================================================================
Vulnerability - Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: t.b.a.
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
========================================================================
Description
-----------
A reflected XSS vulnerability has been discovered in the publicly
accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi.
There are currently no known exploits: the session identifier cannot
be accessed as it is stored in an http-only cookie as of v3.2.2. On
older versions, however, under specific circumstances, it could be
possible to steal the session identifier and gain access to the admin
interface.
Details
-------
The query string sent to the www/delivery/afr.php script was printed
back without proper escaping in a JavaScript context, allowing an
attacker to execute arbitrary JS code on the browser of the victim.
References
----------
https://hackerone.com/reports/775693
https://github.com/revive-adserver/revive-adserver/commit/327aaf10
https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26
https://cwe.mitre.org/data/definitions/79.html
========================================================================
Solution
========================================================================
We strongly advise people to upgrade to the most recent 5.0.4 version of
Revive Adserver.
========================================================================
Contact Information
========================================================================
The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.
Please review https://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists