Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.
{"id": "CVE-2021-22873", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-22873", "description": "Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.", "published": "2021-01-26T18:16:00", "modified": "2021-02-02T15:09:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22873", "reporter": "cve-assignments@hackerone.com", "references": ["https://hackerone.com/reports/1081406", "https://github.com/revive-adserver/revive-adserver/issues/1068", "http://seclists.org/fulldisclosure/2021/Jan/60", "http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html", "https://www.revive-adserver.com/security/revive-sa-2021-001/"], "cvelist": ["CVE-2021-22873"], "immutableFields": [], "lastseen": "2022-03-23T14:23:22", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "hackerone", "idList": ["H1:1081406"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161070"]}], "rev": 4}, "score": {"value": 4.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "hackerone", "idList": ["H1:1081406"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161070"]}]}, "exploitation": null, "vulnersScore": 4.3}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-601"], "affectedSoftware": [{"cpeName": "revive-adserver:revive_adserver", "version": "5.1.0", "operator": "lt", "name": "revive-adserver revive adserver"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:revive-adserver:revive_adserver:5.1.0:*:*:*:*:*:*:*", "versionEndExcluding": "5.1.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://hackerone.com/reports/1081406", "name": "https://hackerone.com/reports/1081406", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/revive-adserver/revive-adserver/issues/1068", "name": "https://github.com/revive-adserver/revive-adserver/issues/1068", "refsource": "MISC", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Jan/60", "name": "20210122 [REVIVE-SA-2021-001] Revive Adserver Vulnerabilities", "refsource": "FULLDISC", "tags": ["Broken Link", "Mailing List", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html", "name": "http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html", "refsource": "MISC", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.revive-adserver.com/security/revive-sa-2021-001/", "name": "https://www.revive-adserver.com/security/revive-sa-2021-001/", "refsource": "MISC", "tags": ["Vendor Advisory"]}]}
{"hackerone": [{"lastseen": "2021-02-03T23:02:19", "bounty": 0.0, "description": "An opportunity for open redirects has been available by design since the\nearly versions of Revive Adserver's predecessors in the impression and\nclick tracking scripts to allow third party ad servers to track such\nmetrics when delivering ads. Historically the display advertising\nindustry has considered that to be a feature, not a real vulnerability.\n\nThe lg.php and ck.php delivery scripts are subject to open redirect via\neither dest, oadest and/or ct0 parameters.\n\n## Impact\n\nUsers seeing a trustworthy domain could be redirected to a malicious URL without realising.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-01-19T12:51:23", "type": "hackerone", "title": "Revive Adserver: Open redirect in ck.php and lg.php", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22873"], "modified": "2021-01-20T11:04:49", "id": "H1:1081406", "href": "https://hackerone.com/reports/1081406", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "packetstorm": [{"lastseen": "2021-01-25T17:29:01", "description": "", "published": "2021-01-24T00:00:00", "type": "packetstorm", "title": "Revive Adserver 5.0.5 Cross Site Scripting / Open Redirect", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-22871", "CVE-2021-22872", "CVE-2021-22873"], "modified": "2021-01-24T00:00:00", "id": "PACKETSTORM:161070", "href": "https://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html", "sourceData": "`======================================================================== \nRevive Adserver Security Advisory REVIVE-SA-2021-001 \n------------------------------------------------------------------------ \nhttps://www.revive-adserver.com/security/revive-sa-2021-001 \n------------------------------------------------------------------------ \nCVE-IDs: CVE-2021-22871, CVE-2021-22872, CVE-2021-22873 \nDate: 2020-01-19 \nRisk Level: Low \nApplications affected: Revive Adserver \nVersions affected: <= 5.0.5 \nVersions not affected: >= 5.1.0 \nWebsite: https://www.revive-adserver.com/ \n======================================================================== \n \n \n======================================================================== \nVulnerability 1 - Persistent XSS \n======================================================================== \nVulnerability Type: Improper Neutralization of Input During Web Page \nGeneration ('Cross-site Scripting') [CWE-79] \nCVE-ID: CVE-2021-22871 \nCVSS Base Score: 3.5 \nCVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N \nCVSS Impact Subscore: 2.5 \nCVSS Exploitability Subscore: 0.9 \n======================================================================== \n \nDescription \n----------- \nA persistent XSS vulnerability has been discovered by security \nresearcher Keyur Vala. An attacker with manager account credential could \nstore HTML code in a website property, which could subsequently been \ndisplayed unescaped on a specific page by other users in the system. \n \n \nDetails \n------- \nAny user with a manager account could store specifically crafted content \nin the URL website property which was then displayed unsanitised in the \naffiliate-preview.php tag generation screen, potentially by other users \nin the system, allowing a persistent XSS attack to take place. \nThe target users would however mostly have access to the same resources \nas the attacker, so the practical applications are not considered \nparticularly harmful, especially since the session cookie cannot be \naccessed via JavaScript. \n \n \nReferences \n---------- \nhttps://hackerone.com/reports/819362 \nhttps://github.com/revive-adserver/revive-adserver/commit/89b88ce26 \nhttps://github.com/revive-adserver/revive-adserver/commit/62a2a0439 \nhttps://cwe.mitre.org/data/definitions/79.html \n \n \n \n======================================================================== \nVulnerability 2 - Reflected XSS \n======================================================================== \nVulnerability Type: Improper Neutralization of Input During Web Page \nGeneration ('Cross-site Scripting') [CWE-79] \nCVE-ID: CVE-2021-22872 \nCVSS Base Score: 4.3 \nCVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N \nCVSS Impact Subscore: 1.4 \nCVSS Exploitability Subscore: 2.8 \n======================================================================== \n \nDescription \n----------- \n \nSecurity researcher Axel Flamcourt has discovered that the fix for the \nreflected XSS vulnerability in REVIVE-SA-2020-001 could be bypassed on \nolder browsers with specifically crafted payloads to the publicly \naccessible afr.php delivery script of Revive Adserver. The practical \napplications are not considered particularly harmful, especially since \nthe session cookie cannot be accessed via JavaScript. \n \n \nDetails \n------- \nThe previous fix was working on most modern browsers, but some older \nbrowsers are not automatically url-encoding parameters and would leave \nan opportunity to inject closing and opening script tags and achieve \nreflected XSS attacks e.g. on IE11. \n \n \nReferences \n---------- \nhttps://hackerone.com/reports/986365 \nhttps://www.revive-adserver.com/security/revive-sa-2020-001 \nhttps://github.com/revive-adserver/revive-adserver/commit/00fdb8d0e \nhttps://github.com/revive-adserver/revive-adserver/commit/1dbcf7d50 \nhttps://cwe.mitre.org/data/definitions/79.html \n \n \n======================================================================== \nVulnerability 3 - Open Redirect \n======================================================================== \nVulnerability Type: URL Redirection to Untrusted Site \n('Open Redirect') [CWE-601] \nCVE-ID: CVE-2021-22873 \nCVSS Base Score: 5.4 \nCVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N \nCVSS Impact Subscore: 2.5 \nCVSS Exploitability Subscore: 2.8 \n======================================================================== \n \nDescription \n----------- \nAn opportunity for open redirects has been available by design since the \nearly versions of Revive Adserver's predecessors in the impression and \nclick tracking scripts to allow third party ad servers to track such \nmetrics when delivering ads. Historically the display advertising \nindustry has considered that to be a feature, not a real vulnerability. \nThings have evolved since then and third party click tracking via \nredirects is not a viable option anymore, therefore any functionality \nusing open redirects in delivery scripts have been removed from Revive \nAdserver. \n \n \nDetails \n------- \nThe lg.php and ck.php delivery scripts were subject to open redirect via \neither dest, oadest and/or ct0 parameters. All of them are now ignored \nand redirects only performed (when applicable) to destination URLs \nstored in the properties of the banner being displayed. A new signed \nclick delivery script has been introduced with an HMAC signed \ndestination parameter, allowing customisable destination URLs while \navoiding destinations from being tampered with by attackers. \n \n \nReferences \n---------- \nhttps://hackerone.com/reports/1081406 \nhttps://github.com/revive-adserver/revive-adserver/issues/1068 \nhttps://cwe.mitre.org/data/definitions/601.html \n \n \n \n======================================================================== \nSolution \n======================================================================== \n \nWe strongly advise people to upgrade to the most recent 5.1.0 version of \nRevive Adserver. \n \n \n======================================================================== \nContact Information \n======================================================================== \n \nThe security contact for Revive Adserver can be reached at: \n<security AT revive-adserver DOT com>. \n \nPlease review https://www.revive-adserver.com/security/ before doing so. \n \n \n-- \nMatteo Beccati \nOn behalf of the Revive Adserver Team \nhttps://www.revive-adserver.com/ \n \n \n \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161070/REVIVE-SA-2021-001.txt"}]}
CVE-2021-22873
