Revive Adserver: Cross Site Scripting and Open Redirect in affiliate-preview.php file

Summary:

Stored XSS can be submitted on the Website using Default Manager, and anyone who will check the report the XSS and Open Redirect will trigger.

Description:

Stored XSS, also known as persistent XSS, is the more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application.

Steps To Reproduce:

1. Login with valid credentials of the user.
2. Go to inventory > Website > Website Properties
3. Fill the form and Enter Website URL as “http://Test”><img src>". Click Save Changes.
4. Login with an administrator account.
5. Open http://localhost/hackerone/www/admin/affiliate-preview.php?codetype=invocationTags%3AoxInvocationTags%3Aspc&block=0&blockcampaign=0&target=&source=&withtext=0&charset=&noscript=1&ssl=0&comments=0&affiliateid=1&submitbutton=Generate
6. Click on Header Script Banner there is image click on that it will execute xss or open redirect.

Impact

###Impact
Users can redirect the admin user or any normal user to any other website evil.com.