| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3b86783c-ccd6-4cb7-9397-8946a6f20840@beccati.com> Date: Wed, 26 Nov 2025 15:23:39 +0100 From: Matteo Beccati <php@...cati.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] [REVIVE-SA-2025-005] Revive Adserver Vulnerability ======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-005 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2025-005 ------------------------------------------------------------------------ Date: 2025-11-26 Risk Level: Medium Applications affected: Revive Adserver Versions affected: <= 6.0.3 Versions not affected: >= 6.0.4 Website: https://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability: Incomplete List of Disallowed Inputs ======================================================================== Vulnerability Type: Incomplete List of Disallowed Inputs [CWE-184] CVE-ID: CVE-2025-55129 Risk Level: Medium CVSS Base Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N ======================================================================== Description ----------- HackerOne community member Kassem S. (kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne community members, such as itz_hari_ and khoof. Details ------- Username validation was historically allowing full UTF-8 usernames. That was supposed to be a feature, but it could be used maliciously to generate usernames visually identical to existing ones, using various techniques, such as homoglyph characters, zero-width spaces, RTL override, and potentially others. An attacker with user creation permissions could specifically craft a username and trick an administrator user to grant other permissions to it rather than the legitimate user. Following the report, now only usernames with a limited character set (variant of POSIX.1-2017) are allowed. References ---------- https://hackerone.com/reports/3434156 https://github.com/revive-adserver/revive-adserver/commit/1a4843e https://cwe.mitre.org/data/definitions/184.html ======================================================================== Solution ======================================================================== We recommend updating to the most recent 6.0.4 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory. ======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review https://www.revive-adserver.com/security/ before doing so. We only accept security reports through HackerOne. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists