Vulnerability 1 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79]
- CVE-IDs: CVE-2020-8115
- CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- CVSS Base Score: 4.3
- CVSS Impact Subscore: 1.4
- CVSS Exploitability Subscore: 2.8
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface.
We strongly advise people to upgrade to the most recent 5.0.4 version of Revive Adserver.
The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>
Please review https://www.revive-adserver.com/security/ before doing so.