Revive Adserver: Stored XSS in Conversion Statistics via Tracker Name

I found stored XSS on the conversion statistics page. Advertisers can inject malicious JavaScript through tracker names, which executes when admins view conversion reports www/admin/stats-conversions.php:356. I was able to steal admin session cookies using this vulnerability. This is a privilege...