[REVIVE-SA-2025-001] Revive Adserver Vulnerability
Revive Adserver versions <=5.5.2 have a reflected XSS vulnerability in admin-search.php, allowing attackers to craft URLs with HTML payloads via the "compact" parameter. Exploitation requires administrator interaction but cannot steal session cookies. Upgrading to version 6.0.0 or higher is recommended to resolve the issue. 2025-10-26 03:48:12 Author: seclists.org(查看原文) 阅读量:12 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Matteo Beccati <matteo () beccati com>
Date: Wed, 22 Oct 2025 12:04:43 +0200
========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2025-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-001
------------------------------------------------------------------------
CVE-ID:                CVE-2025-27208
Date:                  2025-10-22
Risk Level:            Very low
Applications affected: Revive Adserver
Versions affected:     <= 5.5.2
Versions not affected: >= 6.0.0
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability: Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting')
                       [CWE-79]
CVSS Base Score:       4.3
CVSS Vector:           CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
========================================================================

Description
-----------
Jiasheng He (https://github.com/hebing123) from Qihoo 360 has reported a reflected XSS vulnerability in the admin-search.php script. An attacker can craft a specific URL that includes an HTML payload in the compact parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 


Details
-------
The "compact" GET parameter sent to the admin-search.php script is used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged in administrator into visiting the crafted URL. Most importantly, the session cookie cannot be accessed or stolen via JavaScript, so the disruption would be limited. 


References
----------
https://hackerone.com/reports/3091390
https://github.com/revive-adserver/revive-adserver/commit/0c68d1bb
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 6.0.0 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/

Attachment: OpenPGP_0x323A66AFB6C0A3D8.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [REVIVE-SA-2025-001] Revive Adserver Vulnerability Matteo Beccati (Oct 25)

文章来源: https://seclists.org/fulldisclosure/2025/Oct/20
如有侵权请联系:admin#unsafe.sh