66 matches found
CVE-2020-8115
Revive Adserver
CVE-2019-5440
CVE-2019-5440 affects Revive Adserver versions prior to 4.2.1. The password recovery token is generated via generateRecoveryId() using PHP uniqid, which relies on the current time and provides weak entropy, potentially enabling authentication bypass through the password recovery feature. Affected...
CVE-2020-8142
CVE-2020-8142 affects Revive Adserver
CVE-2021-22873
Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of lg.php and ck.php delivery scripts. The underlying issue is an open redirect that can send users to arbitrary sites and potentially facilitate phishing or other abuses. Affected versions are p...
CVE-2020-8143
Revive Adserver prior to 5.0.5 is affected by an Open Redirect. An attacker can entice a logged-in user to click a crafted link and be redirected, via the returnurl parameter in admin-modify endpoints (e.g., /www/admin/campaign-modify.php). The CSRF check could be bypassed if no meaningful parame...
CVE-2014-8793
CVE‑2014‑8793 is a documented Cross‑Site Scripting (XSS) vulnerability in Revive Adserver, affecting the file path lib/max/Admin/UI/Field/PublisherIdField.php and exploitable via the refresh_page parameter to www/admin/report-generate.php . The issue arises from inadequate sanitization of input, ...
CVE-2023-38040
Revive Adserver is affected by a reflected XSS vulnerability (CVE-2023-38040) in version 5.4.1 and earlier. The issue enables attackers to inject and execute malicious scripts in a victim’s browser, as indicated by the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) with a base score of 6.1...
CVE-2015-7371
CVE-2015-7371 affects Revive Adserver
CVE-2013-7149
CVE-2013-7149 describes a SQL injection in Revive Adserver’s XML-RPC delivery script (www/delivery/axmlrpc.php) via the what parameter, affecting Revive Adserver <= 3.0.1 and OpenX Source
CVE-2015-7373
CVE-2015-7373 : Revive Adserver (
CVE-2015-7365
Revive Adserver is affected by CVE-2015-7365: a reflected XSS in the plugin upgrade form where filenames of uploaded files containing errors are not properly escaped. The vulnerability affects Revive Adserver versions
CVE-2016-9470
Revive Adserver is affected by a Reflected File Download (RFD) vulnerability in the file www/delivery/asyncspc.php, impacting versions before 3.2.5 and 4.0.0. The issue allows an attacker to cause a victim’s machine to download a file from a trusted domain, potentially gaining control of the vict...
CVE-2021-22875
Revive Adserver is affected by CVE-2021-22875: a reflected XSS in stats.php via the setPerPage parameter, impacting Revive Adserver versions up to 5.1.0 (fixed in 5.1.1). The root cause is insufficient input validation/neutralization of user-supplied data in the request parameters, allowing injec...
CVE-2021-22888
CVE-2021-22888 affects Revive Adserver prior to 5.2.0, with a reflected XSS in the status parameter of campaign-zone-zones.php. An attacker who can lure a user with UI access to click a crafted URL can execute injected JavaScript in the user’s browser. Public sources in the connected set confirm ...
CVE-2015-7364
CVE-2015-7364 affects Revive Adserver up to and including version 3.2.1, where the HTML_Quickform library allows bypassing CSRF protection by sending an empty token in POST data. This enables potential unauthorized actions such as modifying banners, zones, and settings. The entry is mitigated by ...
CVE-2015-7368
Revive Adserver before 3.2.2 is affected by CVE-2015-7368: it does not send proper Cache-Control headers for admin UI pages, allowing local users to access cached sensitive information after logout. Affected product/version: Revive Adserver prior to 3.2.2. Root cause: improper header handling lea...
CVE-2015-7369
Revive Adserver before 3.2.2 is affected by multiple CVEs (including CVE-2015-7369: overly permissive crossdomain.xml) that enable cross-domain attacks and session cookie exposure. Core issue: default crossdomain.xml permissions allow access from other domains, facilitating cross-domain attacks. ...
CVE-2017-5830
CVE-2017-5830 affects Revive Adserver prior to 4.0.1, where an attacker can execute arbitrary code by sending serialized data in cookies used by delivery scripts. The impact is remote code execution with high severity (per CVSS scores in sources). Affected component: the delivery-script cookies h...
CVE-2015-7366
CVE-2015-7366 affects Revive Adserver prior to 3.2.2. The vulnerability arises from insufficient CSRF protection: certain plugin actions can be triggered via GET requests without tokens, and account-user-*.php POST requests can bypass CSRF checks. This could allow remote attackers to hijack user ...
CVE-2015-7372
This CVE (CVE-2015-7372) affects Revive Adserver up to version 3.2.1. The vulnerability is a Local File Inclusion in the layerstyle parameter of al.php, allowing remote attackers to include and execute arbitrary local files by crafting the layerstyle value (potentially involving a layerstyle.inc....
CVE-2021-22871
Revive Adserver
CVE-2015-7367
Revive Adserver (versions
CVE-2016-9127
Revive Adserver prior to 3.2.3 is affected by a CSRF vulnerability in the password recovery form, enabling an attacker to trigger mass password recovery emails to registered users. The issue, together with a related bug that could send recovery emails to all users, has been fixed in version 3.2.3...
CVE-2021-22872
Revive Adserver
CVE-2014-8875
Revive Adserver is affected by CVE-2014-8875 due to an XML Entity Expansion (XEE) vulnerability in the XML_RPC_cd function of lib/pear/XML/RPC.php. The advisory details that the Revive Adserver XML-RPC endpoints (delivery/XMLRPC and API endpoints) may be exploited by crafted XML payloads to exhau...
CVE-2015-7370
The CVE-2015-7370 entry applies to Revive Adserver’s VideoAds component using Open Flash Chart 2, where open-flash-chart.swf is vulnerable to reflected XSS via id and data-file parameters. Affects Revive Adserver up to 3.2.1 (and related CA/OpenX integrations) with the VideoAds plugin; CVSS v2 ba...
CVE-2016-9130
CVE-2016-9130 concerns Revive Adserver prior to 3.2.3, which is vulnerable to a Persistent XSS via the user interface due to improper escaping of the website name in campaign-zone.php. The underlying issue is a failure to escape displayed data, allowing a trusted (non-admin) attacker to inject sc...
CVE-2019-5433
CVE-2019-5433 describes an open redirect in Revive Adserver’s admin/account-switch.php. A user with UI access could be tricked by a crafted return_url parameter into visiting an external, potentially phishing, domain, enabling credential theft or similar abuse. The issue arises from unrestricted ...
CVE-2021-22874
Revive Adserver prior to 5.1.1 is affected by a reflected XSS in userlog-index.php via the period_preset parameter. Public details include a proof-of-concept from HackerOne showing injection on /admin/userlog-index.php with period_preset, enabling script injection and potential cookie theft or re...
CVE-2021-22948
The CVE-2021-22948 affects revive-adserver, specifically versions prior to 5.3.0. The issue stems from generating session IDs with PHP’s insecure uniqid() function, which under certain conditions could allow an attacker to brute-force session IDs and take over a user account. The Red Hat and NVD ...
CVE-2013-5954
CVE-2013-5954 describes multiple CSRF vulnerabilities in OpenX 2.8.11 and earlier, exploited via GET requests that delete data (e.g., users, advertisers, banners, campaigns, channels, affiliate websites, zones) in Revive Adserver/OpenX administration. The Revive Adserver advisory confirms these i...
CVE-2016-9456
CVE-2016-9456 affects Revive Adserver prior to 3.2.3, which suffers CSRF in admin interface scripts. The Revive Adserver team audited the admin scripts and fixed 20+ CSRF-related issues. Upgrade to 3.2.3 or later to mitigate. Exploitation details are not provided in the connected documents.
CVE-2021-22889
Summary: Revive Adserver prior to v5.2.0 is affected by a reflected XSS in the statsBreakdown parameter (stats.php) caused by unescaped single quotes. An attacker with UI access could lure a user into a crafted URL and, by triggering a key combination, execute injected JavaScript in the context o...
CVE-2016-9124
Revive Adserver prior to 3.2.3 is affected by improper restriction of excessive authentication attempts on the login page, enabling password-guessing attacks. The issue stems from login controls that do not adequately throttle/brute-force limit, though a random delay and anti-parallel brute-forci...
CVE-2016-9125
The CVE-2016-9125 entry concerns Revive Adserver prior to version 3.2.3, where a session- fixation flaw allows an attacker to force arbitrary session identifiers while the system does not invalidate an existing session after a successful login. This gap enables potential theft of an authenticated...
CVE-2016-9129
CVE-2016-9129 affects Revive Adserver before 3.2.3. The issue is an information disclosure vulnerability where an attacker can determine whether an email address is associated with one or more user accounts by inspecting the password recovery message. This leaks partial confidentiality but cannot...
CVE-2016-9126
Affected software: Revive Adserver prior to 3.2.3. Issue: persistent XSS in the audit trail widget on login due to inadequate escaping of usernames; an authenticated user who can create other users could leverage this to access the administrator account. Impact (per sources): CVSS metrics show ba...
CVE-2016-9455
Revive Adserver before 3.2.3 is affected by a Cross-Site Request Forgery (CSRF) in multiple admin scripts: banner-acl.php, banner-activate.php, banner-advanced.php, banner-modify.php, banner-swf.php, banner-zone.php, tracker-modify.php. Root cause is CSRF in the Web UI, enabling unauthorized acti...
CVE-2017-5832
Revive Adserver (open source ad management) is affected by CVE-2017-5832: an XSS in the handling of user email addresses that allows remote authenticated users to inject arbitrary script/HTML. The vulnerability affects Revive Adserver versions before 4.0.1. Exploitation requires authentication; a...
CVE-2014-9407
Summary: CVE-2014-9407 affects Revive Adserver prior to 3.0.5, where multiple cross-site request forgery (CSRF) vulnerabilities allow remote attackers to hijack administrators’ authenticated sessions and trigger privileged actions. Affected endpoints include admin/ scripts such as agency-delete.p...
CVE-2016-9471
The vulnerability CVE-2016-9471 affects Revive Adserver prior to 3.2.5 and 4.0.0, caused by insufficient filtering of usernames during user creation. Specifically, control characters were not filtered, allowing apparently identical usernames to co-exist and enabling potential user spoofing. Explo...
CVE-2017-5833
CVE-2017-5833 affects Revive Adserver prior to 4.0.1. An XSS in the invocation code generation for interstitial zones allows remote attackers to inject arbitrary script or HTML via unspecified parameters. The CVSS data indicates a network-accessible vulnerability with low attack complexity (AV:N/...
CVE-2016-9472
Revive Adserver contains a Reflected XSS in installer UI affecting versions before 3.2.5 and 4.0.0. The vulnerability is caused by reflected input in the web installer scripts, exposed via parameters such as dbHost and dbUser (and possibly others). Impact per the CVE entry is a limited window for...
CVE-2016-9457
Revive Adserver CVE-2016-9457 affects Revive Adserver prior to version 3.2.3. The vulnerability is a Reflected XSS in www/admin/stats.php, exploitable via multiple unsanitised/escaped parameters (e.g., setPerPage, pageId, bannerid, period_start, period_end). Impact is XSS on pages reflecting user...
CVE-2017-5831
Revive Adserver is affected by CVE-2017-5831: a session fixation vulnerability in the forgot password flow prior to version 4.0.1. The issue allows an attacker to hijack a user session by targeting the session ID during password reset. Affected software is Revive Adserver (prior to 4.0.1); root c...
CVE-2016-9128
CVE-2016-9128 affects Revive Adserver prior to 3.2.3. A reflected XSS flaw exists in the affiliate-preview.php script in www/admin, enabling an attacker to steal the session ID of an authenticated user by convincing them to visit a crafted URL. Affected component: Revive Adserver web admin. Root ...
CVE-2016-9454
CVE-2016-9454 affects Revive Adserver prior to version 3.2.3, where the banner image URL for external banners could be improperly escaped in most banner-related pages, enabling a persistent XSS via the Revive Adserver user interface. The vulnerability requires a trusted, non-admin account and is ...
CVE-2025-48987
Revive Adserver is affected by a reflected XSS in the admin area. The hackerone report details a RXSS in revive-adserver-6.0.1/www/admin/account-preferences-plugin.php, triggered via the group query parameter where untrusted input is reflected without proper output encoding or context-aware escap...
CVE-2025-52666
Summary: CVE-2025-52666 affects Revive Adserver (versions 5.5.2, 6.0.1 and earlier). The issue is an improper neutralisation of format characters in the settings, which leads to a fatal PHP error that can cause the administrator user console to be disabled. The incident is described across multip...
CVE-2026-50739
Revive Adserver 6.0.7 and earlier expose a bypass of ownership validation in the reverse operation that links campaigns and trackers via tracker-campaigns.php. A low-privilege user could link their trackers to campaigns owned by other managers on the same instance, causing inconsistent ownership ...