CVE-2023-38040

2023-09-17T05:15:00

Description

A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions..

Affected Software

CPE Name	Name	Version
revive-adserver:revive_adserver	revive-adserver revive adserver	5.4.1

{"id": "CVE-2023-38040", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2023-38040", "description": "A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions..", "published": "2023-09-17T05:15:00", "modified": "2023-09-20T15:42:00", "epss": [{"cve": "CVE-2023-38040", "epss": 0.00046, "percentile": 0.14179, "modified": "2023-09-25"}], "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38040", "reporter": "support@hackerone.com", "references": ["https://hackerone.com/reports/1694171"], "cvelist": ["CVE-2023-38040"], "immutableFields": [], "lastseen": "2023-09-25T19:08:07", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "hackerone", "idList": ["H1:1694171"]}]}, "score": {"value": 6.5, "vector": "NONE"}, "vulnersScore": 6.5}, "_state": {"dependencies": 1695669053, "score": 1695670779}, "_internal": {"score_hash": "1e1d3637c890a651ee6499234a49c064"}, "cna_cvss": {"cna": "hackerone", "cvss": {}}, "cpe": ["cpe:/a:revive-adserver:revive_adserver:5.4.1"], "cpe23": ["cpe:2.3:a:revive-adserver:revive_adserver:5.4.1:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "revive-adserver:revive_adserver", "version": "5.4.1", "operator": "le", "name": "revive-adserver revive adserver"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:revive-adserver:revive_adserver:5.4.1:*:*:*:*:*:*:*", "versionEndIncluding": "5.4.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://hackerone.com/reports/1694171", "name": "https://hackerone.com/reports/1694171", "refsource": "MISC", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}], "product_info": [{"vendor": "Revive", "product": "Revive Adserver"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [], "exploits": [], "assigned": "2023-07-12T00:00:00"}

{"hackerone": [{"lastseen": "2023-09-25T18:52:29", "bounty": 0.0, "description": "From @l4stb1t orginal report:\n\nThere are multiple XSS vulnerabilities on the default layerstyles provided by the adserver.\n\nFor the \"simple\" layer style (source code at \"plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/simple/layerstyle.inc.php\"):\n - CSS code injection on the \"padding\" parameter\n - CSS code injection on the \"bordercolor\" parameter\n - JavaScript code injection on the \"shifth\" parameter when the \"align\" parameter is set to \"center\"\n - JavaScript code injection on the \"shiftv\" parameter when the \"valign\" parameter is set to \"middle\"\n\nFor the \"geocities\" layer style (source code at plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/geocities/layerstyle.inc.php\"):\n - CSS code injection on the \"padding\" parameter\n - HTML code injection on the \"closetext\" parameter\n\nFor the \"floater\" layer style (source code at plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/floater/layerstyle.inc.php\"):\n - JavaScript code injection on the \"rmargin\" parameter\n - JavaScript code injection on the \"lmargin\" parameter\n - CSS code injection on the \"shiftv\" parameter\n - JavaScript code injection on the \"loop\" parameter\n\nFor the \"cursor\" layer style (source code at plugins_repo/openXInvocationTags/plugins/invocationTags/oxInvocationTags/layerstyles/cursor/layerstyle.inc.php\"):\n - JavaScript code injection on the \"stickyness\" parameter when the \"trail\" parameter is set to \"1\"\n - JavaScript code injection on the \"offsetx\" parameter when the \"trail\" parameter is set to \"1\"\n - JavaScript code injection on the \"offsety\" parameter when the \"trail\" parameter is set to \"1\"\n - JavaScript code injection on the \"transparancy\"\n - JavaScript code injection on the \"delay\" parameter when the \"hide\" parameter is set to \"1\"\n\nThe vulnerabilities may also affect other layerstyles copied from the ones listed above.\nThrough the CSS code injection an attacker may create request to external resources by suppling \"0;background:url(<link here>);\", while through the HTML and JavaScript code injection the attacker may run JavaScript code on the host website. \n\nExample exploitation:\nAssuming that the adserver runs under ads.example.com, and the zoneid 1 is a valid id of an active campaign, an attacker may conduct the following request from the server:\nhttps://ads.example.com/www/delivery/al.php?zoneid=1&layerstyle=geocities&closetext=%3Cscript%3Ealert(123);%3C/script%3E\nand the server will return JavaScript code with the attacker's payload as delivered by the closetext parameter.\n\n## Impact\n\nSince the endpoints return JavaScript code, benefit from the exploitation of the vulnerability the attacker has to chain it along with a specific behavior on the host site (the site showing the ads) allowing him to alter the parameters passed to the adserver. For example, if the host site forwards a client identifier from its parameters to the parameters of the adserver (e.g. passing a kid=XYZ), an attacker may use this to smuggle extra parameters to the adserver and eventually run JavaScript code or make external requests.\n\nThis method could also be used by an attacker to bypass Cross-Origin Resource Sharing (CORS) rules assuming that the adserver is whitelisted.\n\nThus, the impact of this vulnerability is relatively small.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-09-07T21:32:37", "type": "hackerone", "title": "Revive Adserver: Multiple cross-site scripting (XSS) vulnerabilities in Revive Adserver", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-38040"], "modified": "2023-09-13T12:17:54", "id": "H1:1694171", "href": "https://hackerone.com/reports/1694171", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}

CVE-2023-38040

Description

Affected Software

Related