CVE-2015-7372

Directory traversal vulnerability in delivery-dev/al.php in Revive Adserver before 3.2.2 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the layerstyle parameter...

CVE-2015-7371

Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service resource consumption via a direct request...

CVE-2015-7370

Multiple cross-site scripting XSS vulnerabilities in open-flash-chart.swf in Open Flash Chart 2, as used in the VideoAds plugin in Revive Adserver before 3.2.2 and CA Release Automation formerly LISA Release Automation 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and...

CVE-2015-7369

The default Flash cross-domain policy crossdomain.xml in Revive Adserver before 3.2.2 does not restrict access cross domain access, which allows remote attackers to conduct cross domain attacks via unspecified vectors...

CVE-2015-7368

Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...

CVE-2015-7367

Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has been 1 deleted or 2 unlinked...

CVE-2015-7366

Multiple cross-site request forgery CSRF vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the authentication of users for requests that 1 perform certain plugin actions and possibly cause a denial of service disabled core plugins via unknown vectors or 2 change the...

CVE-2015-7365

Cross-site scripting XSS vulnerability in the plugin upgrade form in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of an uploaded file containing errors...

Design/Logic Flaw

Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service resource consumption via a direct request...

Design/Logic Flaw

Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...

Cross site request forgery (csrf)

The HTMLQuickform library, as used in Revive Adserver before 3.2.2, allows remote attackers to bypass the CSRF protection mechanism via an empty token...

Cross site scripting

Cross-site scripting XSS vulnerability in the plugin upgrade form in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of an uploaded file containing errors...

Directory traversal

Directory traversal vulnerability in delivery-dev/al.php in Revive Adserver before 3.2.2 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the layerstyle parameter...

Cross site scripting

The default Flash cross-domain policy crossdomain.xml in Revive Adserver before 3.2.2 does not restrict access cross domain access, which allows remote attackers to conduct cross domain attacks via unspecified vectors...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the authentication of users for requests that 1 perform certain plugin actions and possibly cause a denial of service disabled core plugins via unknown vectors or 2 change the...

Code injection

Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has been 1 deleted or 2 unlinked...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in open-flash-chart.swf in Open Flash Chart 2, as used in the VideoAds plugin in Revive Adserver before 3.2.2 and CA Release Automation formerly LISA Release Automation 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and...

CVE-2015-7364

The HTMLQuickform library, as used in Revive Adserver before 3.2.2, allows remote attackers to bypass the CSRF protection mechanism via an empty token...

Cross site scripting

Cross-site scripting XSS vulnerability in the "magic-macros" feature in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via a GET parameter, which is not properly handled in a banner...

CVE-2015-7369

The default Flash cross-domain policy crossdomain.xml in Revive Adserver before 3.2.2 does not restrict access cross domain access, which allows remote attackers to conduct cross domain attacks via unspecified vectors...