Lucene search
K

๐Ÿ“„ Revive Adserver 6.0.7 CSRF / XSS / Code Injection

๐Ÿ—“๏ธย 09 Jul 2026ย 00:00:00Reported byย Matteo BeccatiTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 23ย Views

Revive Adserver 6.0.7 fixes improper access control and adds ownership validation for linking campaigns to trackers

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-50739
26 Jun 202601:11
โ€“attackerkb
ATTACKERKB
CVE-2026-50744
26 Jun 202601:11
โ€“attackerkb
ATTACKERKB
CVE-2026-50740
26 Jun 202601:11
โ€“attackerkb
ATTACKERKB
CVE-2026-50741
26 Jun 202601:11
โ€“attackerkb
ATTACKERKB
CVE-2026-50745
26 Jun 202601:11
โ€“attackerkb
ATTACKERKB
CVE-2026-50742
26 Jun 202601:11
โ€“attackerkb
Circl
CVE-2026-34916
26 Jun 202602:22
โ€“circl
Circl
CVE-2026-50739
26 Jun 202602:51
โ€“circl
Circl
CVE-2026-50740
26 Jun 202602:56
โ€“circl
Circl
CVE-2026-50741
26 Jun 202602:22
โ€“circl
Rows per page
========================================================================
    Revive Adserver Security Advisory                     REVIVE-SA-2026-003
    ------------------------------------------------------------------------
    https://www.revive-adserver.com/security/revive-sa-2026-003
    ------------------------------------------------------------------------
    Date: 2026-06-25
    Risk Level: Medium to High
    Applications affected: Revive Adserver
    Versions affected: <= 6.0.7
    Versions not affected: >= 6.0.8
    Website: https://www.revive-adserver.com/
    ========================================================================
    
    
    ========================================================================
    1. Improper Access Control
    ========================================================================
    Vulnerability Type:    CWE-284: Improper Access Control
    CVE-ID:                CVE-2026-50739
    Risk level:            Medium
    CVSS Base Score:       4.3
    CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community member hakuopi (and independently sy2no, 
    garuthacktvist, and aszh) has reported a bypass of the fix for 
    CVEโ€‘2026โ€‘34913. Proper ownership validation had not been applied to the 
    reverse operation of linking campaigns and trackers through the 
    `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. As 
    a result, a lowโ€‘privileged user could link their trackers to campaigns 
    owned by other managers on the same instance, leading to inconsistent 
    ownership relationships.
    
    Resolution
    ----------
    Ownership validation has been added to ensure that campaigns can only be 
    linked to trackers owned by the same advertiser.
    
    References
    ----------
    https://hackerone.com/reports/3780709
    https://github.com/revive-adserver/revive-adserver/commit/c03a0b6d
    https://cwe.mitre.org/data/definitions/284.html
    
    
    ========================================================================
    2. Reflected XSS
    ========================================================================
    Vulnerability Type:    CWE-79: Cross-site Scripting
    CVE-ID:                CVE-2026-50740
    Risk level:            Medium
    CVSS Base Score:       6.1
    CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community member Mahmoud Khaled (Kanon4) has reported a 
    missing sanitisation of user input in the `zone-include.php` script of 
    Revive Adserver 6.0.7 and earlier. A lowโ€‘privileged user could exploit 
    the `refresh` parameter of the iFrame invocation tag to perform 
    reflected XSS attacks.
    
    Resolution
    ----------
    Input sanitisation has been improved to ensure that the affected 
    parameter is properly validated.
    
    References
    ----------
    https://hackerone.com/reports/3780806
    https://github.com/revive-adserver/revive-adserver/commit/03d9ad8b
    https://cwe.mitre.org/data/definitions/79.html
    
    
    ========================================================================
    3. Remote Code Execution
    ========================================================================
    Vulnerability Type:    CWE-94: Code Injection
    CVE-ID:                CVE-2026-50741
    Risk level:            High
    CVSS Base Score:       8.8
    CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community members Rio Darmawan (riodrwn) and Mikhail Ilin 
    (doomtech) have independently reported new vectors to bypass the fix for 
    CVEโ€‘2026โ€‘34916. Variants of such vectors were also reported by phucrio 
    and offsetmd. The fix could be bypassed either by sending a disallowed 
    but otherwise valid plugin identifier as `type`, or by using the 
    `ox.setChannelTargeting` XMLโ€‘RPC API method.
    
    Resolution
    ----------
    Validation of plugin identifiers and XMLโ€‘RPC inputs has been 
    strengthened to prevent unsafe code paths.
    
    References
    ----------
    https://hackerone.com/reports/3780854
    https://hackerone.com/reports/3781492
    https://github.com/revive-adserver/revive-adserver/commit/3d1485de
    https://github.com/revive-adserver/revive-adserver/commit/becaf6e7
    https://cwe.mitre.org/data/definitions/94.html
    
    
    ========================================================================
    4. Stored XSS
    ========================================================================
    Vulnerability Type:    CWE-79: Cross-site Scripting
    CVE-ID:                CVE-2026-50742
    Risk level:            Medium
    CVSS Base Score:       4.4
    CVSS Vector:           CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community member Althaf Shajahan (AnGrY) has reported stored 
    XSS vulnerabilities in the `maintenance-acl-check.php` and 
    `maintenance-banners-check.php` tools of Revive Adserver 6.0.7. The 
    issue was caused by entity names being displayed without proper escaping 
    when inconsistencies were detected. Whether the XSS payload is executed 
    when an administrator uses the affected maintenance tools is not 
    entirely under the attackerโ€™s control.
    
    Resolution
    ----------
    Output encoding has been corrected to ensure entity names are safely 
    escaped in the affected maintenance tools.
    
    References
    ----------
    https://hackerone.com/reports/3781311
    https://github.com/revive-adserver/revive-adserver/commit/91abb6ab
    https://cwe.mitre.org/data/definitions/79.html
    
    
    ========================================================================
    5. Cross-Site Request Forgery
    ========================================================================
    Vulnerability Type:    CWE-352: Cross-Site Request Forgery
    CVE-ID:                CVE-2026-50743
    Risk level:            Medium
    CVSS Base Score:       5.4
    CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community member Althaf Shajahan (AnGrY) has reported that the 
    `zone-include.php` script in Revive Adserver 6.0.7 was vulnerable to a 
    CSRF attack. Linking and unlinking banners or campaigns to zones could 
    be triggered via crafted GET or POST requests without any verification 
    of the CSRF token, allowing an attacker to perform these actions on 
    behalf of an authenticated administrator.
    
    Resolution
    ----------
    CSRF token checks have been added to all link and unlink operations in 
    `zone-include.php`.
    
    References
    ----------
    https://hackerone.com/reports/3781691
    https://github.com/revive-adserver/revive-adserver/commit/e3c84d6f
    https://cwe.mitre.org/data/definitions/352.html
    
    
    ========================================================================
    6. Improper Access Control
    ========================================================================
    Vulnerability Type:    CWE-284: Improper Access Control
    CVE-ID:                CVE-2026-50744
    Risk level:            Medium
    CVSS Base Score:       4.3
    CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community member Kenji Subagja (garuthacktivist) has reported 
    a way to bypass the adminโ€‘only restriction of the XMLโ€‘RPC API in Revive 
    Adserver 6.0.7. The API response for the `ox.login` method returned a 
    session ID cookie in the HTTP headers, and although the method correctly 
    returned an error, the associated session was not invalidated. As a 
    result, the leaked session ID could be used to perform subsequent API 
    calls without restrictions.
    
    Resolution
    ----------
    The XMLโ€‘RPC login handler now invalidates failed sessions and no longer 
    exposes session identifiers.
    
    References
    ----------
    https://hackerone.com/reports/3783738
    https://github.com/revive-adserver/revive-adserver/commit/3e04cb4a
    https://cwe.mitre.org/data/definitions/284.html
    
    
    ========================================================================
    7. Reflected XSS
    ========================================================================
    Vulnerability Type:    CWE-79: Cross-site Scripting
    CVE-ID:                CVE-2026-50745
    Risk level:            Medium
    CVSS Base Score:       4.7
    CVSS Vector:           CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
    ------------------------------------------------------------------------
    
    Description
    -----------
    HackerOne community member Mahmoud Khaled (Kanon4) has reported a 
    missing sanitisation of user input in the `stats-video.php` script. The 
    way URLs to this script were constructed did not follow best practices, 
    and the output of the Smarty custom helper function `url` was neither 
    properly encoded nor sanitised, allowing userโ€‘supplied input to be 
    reflected without escaping.
    
    Resolution
    ----------
    URL construction and parameter handling have been updated to ensure 
    proper sanitisation and encoding.
    
    References
    ----------
    https://hackerone.com/reports/3793243
    https://github.com/revive-adserver/revive-adserver/commit/a570a0c1
    https://cwe.mitre.org/data/definitions/79.html
    
    
    ========================================================================
    Solution
    ========================================================================
    
    We recommend updating to the most recent 6.0.8 version of Revive 
    Adserver, or whatever happens to be the current release at the time of 
    reading this security advisory.
    
    
    ========================================================================
    Contact Information
    ========================================================================
    
    The security contact for Revive Adserver can be reached at:
    <security AT revive-adserver DOT com>.
    
    Please review https://www.revive-adserver.com/security/ before doing so.
    
    
    --
    Matteo Beccati
    On behalf of the Revive Adserver Team
    https://www.revive-adserver.com/

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

09 Jul 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 38.8
CVSS 3.16.1
EPSS0.02734
SSVC
23