Revive Adserver Security Advisory REVIVE-SA-2020-001

• Advisory ID: REVIVE-SA-2020-001
• CVE-IDs: CVE-2020-8115
• Date: 2020-01-21
• Risk Level: Low
• Applications affected: Revive Adserver
• Versions affected: <= 5.0.3
• Versions not affected: >= 5.0.4
• Website: https://www.revive-adserver.com/

Vulnerability 1 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79]

• CVE-IDs: CVE-2020-8115
• CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
• CVSS Base Score: 4.3
• CVSS Impact Subscore: 1.4
• CVSS Exploitability Subscore: 2.8

Description

A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface.

Details

The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.

References

• https://hackerone.com/reports/775693
• https://github.com/revive-adserver/revive-adserver/commit/327aaf10
• https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26
• https://cwe.mitre.org/data/definitions/79.html

Solution

We strongly advise people to upgrade to the most recent 5.0.4 version of Revive Adserver.

Contact Information

The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>

Please review https://www.revive-adserver.com/security/ before doing so.