| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b2375606-f9ce-4352-af65-0f2e33bb0e71@beccati.com>
Date: Wed, 19 Nov 2025 11:05:36 +0100
From: Matteo Beccati <php@...cati.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [REVIVE-SA-2025-003] Revive Adserver Vulnerabilities
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2025-003
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-003
------------------------------------------------------------------------
Date: 2025-11-05
Risk Level: High
Applications affected: Revive Adserver
Versions affected: <= 6.0.1, <= 5.5.2
Versions not affected: >= 6.0.2, >= 5.5.3
Website: https://www.revive-adserver.com/
========================================================================
========================================================================
Vulnerability 1: Authorization bypass
========================================================================
Vulnerability Type: Improper Access Control [CWE-284]
CVE-ID: CVE-2025-48986
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
========================================================================
Description
-----------
HackerOne community member Dao Hoang Anh (yoyomiski) has reported an
authorization bypass vulnerability in the “admin-user.php”,
“advertiser-user.php”, “affiliate-user.php”, and “agency-user.php”
scripts. A logged in user, with enough privileges to access any of the
affected scripts, can craft a specific payload to change the email
address of any user in the system.
Details
-------
The functionality behind the “*-user.php” scripts was always updating
the user details with the data coming from the POST parameters even for
existing users. In case an existing user was being added to an account,
the form data was prepared with the read-only email address for the
user. The attacker could craft specific POST payloads to alter the email
address of any user, potentially gaining access to their username
through the “Forgot Password” functionality.
References
----------
https://hackerone.com/reports/3398283
https://github.com/revive-adserver/revive-adserver/commit/7527d00
https://github.com/revive-adserver/revive-adserver/commit/8242644
https://cwe.mitre.org/data/definitions/284.html
========================================================================
Vulnerability 2: Stored XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID: CVE-2025-52668
CVSS Base Score: 8.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
========================================================================
Description
-----------
HackerOne community member Vitaly Simonovich (cyberjoker) has reported a
stored XSS vulnerability in the “statistics-conversions.php” script,
with the tracker or campaign name being the vector for attack.
Details
-------
The “statistics-conversions.php” script, included by the main stats.php
front controller, was not properly sanitising tracker and campaign names
before displaying them on the page.
If conversion tracking is enabled on the installation, a manager user
could set up the XSS attack and create all the required preconditions,
so that a specifically crafted link to “stats.php” would execute
injected javascript code. Successful exploitation requires an attacker
to trick a logged in administrator into visiting such URL. The session
cookie cannot be accessed or stolen via JavaScript, but session riding
would be possible, allowing to create new usernames or chain other kind
of exploits.
References
----------
https://hackerone.com/reports/3400506
https://github.com/revive-adserver/revive-adserver/commit/3443963
https://github.com/revive-adserver/revive-adserver/commit/0f3b4a4
https://cwe.mitre.org/data/definitions/79.html
========================================================================
Vulnerability 3: Authorization Bypass
========================================================================
Vulnerability Type: Authorization Bypass Through User-Controlled Key
[CWE-639]
CVE-ID: CVE-2025-52670
CVSS Base Score: 7.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
========================================================================
Description
-----------
HackerOne community member Vitaly Simonovich (cyberjoker) has reported
an authorization bypass vulnerability in the “delete-banner.php” script
of Revive Adserver. Users with permissions to delete banners are
mistakenly allowed to delete banners owned by other accounts.
Details
-------
The Revive Adserver “delete-banner.php” script was not properly checking
ownership of the “bannered” parameter before deleting the resource. That
allows several types of malicious attacks and highly affects the data
integrity of the affected system.
References
----------
https://hackerone.com/reports/3401612
https://github.com/revive-adserver/revive-adserver/commit/1e0d1d1
https://github.com/revive-adserver/revive-adserver/commit/f5eef75
https://cwe.mitre.org/data/definitions/639.html
========================================================================
Vulnerability 4: Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID: CVE-2025-55124
CVSS Base Score: 6.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
========================================================================
Description
-----------
HackerOne community member Dang Hung Vi (vidang04) has reported a
reflected XSS vulnerability in the “banner-zone.php” script since Revive
Adserver 6.0.0. An attacker can craft a specific URL that includes an
HTML payload in a parameter. If a logged in administrator visits the
URL, the HTML is sent to the browser and malicious scripts would be
executed.
Details
-------
The “filterWebsite” and “filterZone” GET parameters sent to the
“banner-zone.php” script were used in the output without proper
sanitisation, allowing an attacker to craft specific URLs and have
payloads output in the HTML, JS, and/or CSS context. Successful
exploitation requires an attacker to trick a logged in administrator
into visiting the crafted URL. Most importantly, the session cookie
cannot be accessed or stolen via JavaScript, so the disruption would be
limited.
References
----------
https://hackerone.com/reports/3403727
https://github.com/revive-adserver/revive-adserver/commit/514bff9
https://cwe.mitre.org/data/definitions/79.html
========================================================================
Vulnerability 5: Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID: CVE-2025-48987
CVSS Base Score: 4.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
========================================================================
Description
-----------
HackerOne community member Ahmed Abdalkhaliq Abdulla (Lu3ky.13) has
reported a reflected XSS vulnerability in the
“account-preferences-plugin.php” script. An attacker can craft a
specific URL that includes an HTML payload in the “group” parameter. If
a logged in administrator visits the URL, the HTML is sent to the
browser and malicious scripts would be executed.
Details
-------
The “group” GET parameter sent to the “account-preferences-plugin.php”
script is used in the output without proper sanitisation, allowing an
attacker to craft specific URLs and have payloads output in the HTML,
JS, and/or CSS context. Successful exploitation requires an attacker to
trick a logged in administrator into visiting the crafted URL. Most
importantly, the session cookie cannot be accessed or stolen via
JavaScript, so the disruption would be limited.
References
----------
https://hackerone.com/reports/3399191
https://github.com/revive-adserver/revive-adserver/commit/d45c580
https://github.com/revive-adserver/revive-adserver/commit/8bbd2f5
https://cwe.mitre.org/data/definitions/79.html
========================================================================
Vulnerability 6: Information disclosure
========================================================================
Vulnerability Type: Exposure of Sensitive Information Due to
Incompatible Policies [CWE-213]
CVE-ID: CVE-2025-52669
CVSS Base Score: 4.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
========================================================================
Description
-----------
HackerOne community member Dao Hoang Anh (yoyomiski) has reported an
information disclosure vulnerability in the user management system of
Revive Adserver. Non administrator users can exploit the user management
system to get the email address and contact name of other users in the
system by typing in their usernames.
Details
-------
The Revive Adserver user management system allows to link multiple users
to the account entities on the system. When adding a new user, if the
username already exists on the system, Revive Adserver would display the
information on record to allow the operator to verify they are adding
the user they intended to. The functionality could be exploited to
access email addresses and contact names of other users on the system.
In order to avoid this level of information disclosure it has been
decided to disallow adding existing users to account entities, unless
the operation is performed by an administrator.
References
----------
https://hackerone.com/reports/3401464
https://github.com/revive-adserver/revive-adserver/commit/dbfc051
https://github.com/revive-adserver/revive-adserver/commit/2bd0a88
https://cwe.mitre.org/data/definitions/213.html
========================================================================
Vulnerability 7: Information disclosure
========================================================================
Vulnerability Type: Generation of Error Message Containing Sensitive
Information [CWE-209]
CVE-ID: CVE-2025-52671
CVSS Base Score: 4.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
========================================================================
Description
-----------
HackerOne community member Dao Hoang Anh (yoyomiski) has reported an
information disclosure vulnerability in the error message displayed by
Revive Adserver when an SQL error is encountered, which displayed
software and database versions to non-administrator users as well.
Details
-------
The Revive Adserver SQL error message historically contained sensitive
information that could be useful to replicate and debug the issue, i.e.
software version, PHP version and database type and version and the SQL
query. In order to avoid non-essential disclosure, such information is
now only displayed to administrator users.
References
----------
https://hackerone.com/reports/3403450
https://github.com/revive-adserver/revive-adserver/commit/8f17558
https://github.com/revive-adserver/revive-adserver/commit/1348712
https://cwe.mitre.org/data/definitions/209.html
========================================================================
Vulnerability 8: Stored XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID: CVE-2025-52667
CVSS Base Score: 3.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
========================================================================
Description
-----------
HackerOne community member Ahmed Abdalkhaliq Abdulla (Lu3ky.13) has
reported a stored XSS vulnerability in the “inventory-retrieve.php”
script, with campaign names being the vector for the stored XSS.
Details
-------
The “inventory-retrieve.php” script is used via AJAX to load JSON
information by some UI components. The script was not sending the
appropriate “Content-Type: application/json” header and by default its
output would be interpreted as HTML by the browsers when loaded directly.
A manager user could craft campaign names to cause the script to execute
malicious JS code when invoked with parameters. Successful exploitation
requires an attacker to trick a logged in administrator into visiting
such URL. Most importantly, the session cookie cannot be accessed or
stolen via JavaScript, so the disruption would be limited.
References
----------
https://hackerone.com/reports/3399809
https://github.com/revive-adserver/revive-adserver/commit/a46267a
https://github.com/revive-adserver/revive-adserver/commit/91c662c
https://cwe.mitre.org/data/definitions/79.html
========================================================================
Vulnerability 9: Stored XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID: CVE-2025-55123
CVSS Base Score: 3.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
========================================================================
Description
-----------
HackerOne community member Dao Hoang Anh (yoyomiski) has reported stored
XSS vulnerability in the “banner-edit.php” script. A manger user can
insert HTML/JS payload and have it executed when one of its advertiser
users visit the banner edit page for that specific banner.
Details
-------
The banner name was displayed as read-only HTML to advertiser users in
the banner edit page. Such HTML was however displayed without proper
neutralisation, allowing XSS attacks. The risk of the vulnerability is
low as the target is a user with a lower level of access than the attacker.
References
----------
https://hackerone.com/reports/3404968
https://github.com/revive-adserver/revive-adserver/commit/b45618b
https://github.com/revive-adserver/revive-adserver/commit/a3ce0c3
https://cwe.mitre.org/data/definitions/79.html
========================================================================
Vulnerability 10: Format string injection
========================================================================
Vulnerability Type: Use of Externally-Controlled Format String
[CWE-134]
CVE-ID: CVE-2025-52666
CVSS Base Score: 2.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
========================================================================
Description
-----------
HackerOne community member Ahmed Abdalkhaliq Abdulla (Lu3ky.13) has
reported a format string injection in the Revive Adserver settings. When
specific character combinations are used in a setting, the admin user
console could be disabled due to a fatal PHP error.
Details
-------
The Revive Adserver settings stored in the configuration file are also
transformed into parameters for the Symfony Dependency Injection
container. Such parameters allow environment variables or other
parameters to be referenced (e.g. “%kernel.cache_dir%/foo/bar”). When
initialising the container parameters, the “%” character was not
properly escaped and it was possible to generate a PHP fatal error when
a referenced parameter is not found. Only administrators are allowed to
change settings, so, in normal circumstances, the disruption would be
limited.
References
----------
https://hackerone.com/reports/3399218
https://github.com/revive-adserver/revive-adserver/commit/ac23ace
https://github.com/revive-adserver/revive-adserver/commit/bd367d2
https://cwe.mitre.org/data/definitions/134.html
========================================================================
Solution
========================================================================
We recommend updating to the most recent 5.5.3 or 6.0.2 version of
Revive Adserver, or whatever happens to be the current release at the
time of reading this security advisory.
========================================================================
Contact Information
========================================================================
The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.
Please review https://www.revive-adserver.com/security/ before doing so.
--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/
Download attachment "OpenPGP_0x819BAF32F410D901.asc" of type "application/pgp-keys" (649 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists