CVE-2021-22873

Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and/or ct0 parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third p...

CVE-2021-22888

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the status parameter of campaign-zone-zones.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript...

CVE-2021-22871

Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php tag generation screen, leading to a persistent cross-site scripting (XSS) vulnerability.

CVE-2021-22872

Revive Adserver before 5.1.0 is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php delivery script. While this issue was previously addressed in modern browsers as CVE-2020-8115, some older browsers (e.g., IE10) that do not automatically URL encod...

CVE-2021-22889

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the statsBreakdown parameter of stats.php (and possibly other scripts) due to single quotes not being escaped. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking...

CVE-2021-22875

Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in stats.php via the setPerPage parameter.

CVE-2021-22948

Vulnerability in the generation of session IDs in revive-adserver

CVE-2021-22874

Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the period_preset parameter.