[REVIVE-SA-2025-003] Revive Adserver Vulnerabilities
Full Disclosuremailing list archivesFrom: Matteo Beccati <php () beccati com>D 2025-11-19 20:3:24 Author: seclists.org(查看原文) 阅读量:8 收藏
Full Disclosuremailing list archivesFrom: Matteo Beccati <php () beccati com>D 2025-11-19 20:3:24 Author: seclists.org(查看原文) 阅读量:8 收藏
Full Disclosure mailing list archives
From: Matteo Beccati <php () beccati com>
Date: Wed, 19 Nov 2025 11:05:36 +0100
======================================================================== Revive Adserver Security Advisory REVIVE-SA-2025-003 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2025-003 ------------------------------------------------------------------------ Date: 2025-11-05 Risk Level: High Applications affected: Revive Adserver Versions affected: <= 6.0.1, <= 5.5.2 Versions not affected: >= 6.0.2, >= 5.5.3 Website: https://www.revive-adserver.com/ ======================================================================== ======================================================================== Vulnerability 1: Authorization bypass ======================================================================== Vulnerability Type: Improper Access Control [CWE-284] CVE-ID: CVE-2025-48986 CVSS Base Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ======================================================================== Description -----------HackerOne community member Dao Hoang Anh (yoyomiski) has reported an authorization bypass vulnerability in the “admin-user.php”, “advertiser-user.php”, “affiliate-user.php”, and “agency-user.php” scripts. A logged in user, with enough privileges to access any of the affected scripts, can craft a specific payload to change the email address of any user in the system.
Details -------The functionality behind the “*-user.php” scripts was always updating the user details with the data coming from the POST parameters even for existing users. In case an existing user was being added to an account, the form data was prepared with the read-only email address for the user. The attacker could craft specific POST payloads to alter the email address of any user, potentially gaining access to their username through the “Forgot Password” functionality.
References ---------- https://hackerone.com/reports/3398283 https://github.com/revive-adserver/revive-adserver/commit/7527d00 https://github.com/revive-adserver/revive-adserver/commit/8242644 https://cwe.mitre.org/data/definitions/284.html ======================================================================== Vulnerability 2: Stored XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79] CVE-ID: CVE-2025-52668 CVSS Base Score: 8.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N ======================================================================== Description -----------HackerOne community member Vitaly Simonovich (cyberjoker) has reported a stored XSS vulnerability in the “statistics-conversions.php” script, with the tracker or campaign name being the vector for attack.
Details -------The “statistics-conversions.php” script, included by the main stats.php front controller, was not properly sanitising tracker and campaign names before displaying them on the page. If conversion tracking is enabled on the installation, a manager user could set up the XSS attack and create all the required preconditions, so that a specifically crafted link to “stats.php” would execute injected javascript code. Successful exploitation requires an attacker to trick a logged in administrator into visiting such URL. The session cookie cannot be accessed or stolen via JavaScript, but session riding would be possible, allowing to create new usernames or chain other kind of exploits.
References ---------- https://hackerone.com/reports/3400506 https://github.com/revive-adserver/revive-adserver/commit/3443963 https://github.com/revive-adserver/revive-adserver/commit/0f3b4a4 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 3: Authorization Bypass ======================================================================== Vulnerability Type: Authorization Bypass Through User-Controlled Key [CWE-639] CVE-ID: CVE-2025-52670 CVSS Base Score: 7.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L ======================================================================== Description -----------HackerOne community member Vitaly Simonovich (cyberjoker) has reported an authorization bypass vulnerability in the “delete-banner.php” script of Revive Adserver. Users with permissions to delete banners are mistakenly allowed to delete banners owned by other accounts.
Details -------The Revive Adserver “delete-banner.php” script was not properly checking ownership of the “bannered” parameter before deleting the resource. That allows several types of malicious attacks and highly affects the data integrity of the affected system.
References ---------- https://hackerone.com/reports/3401612 https://github.com/revive-adserver/revive-adserver/commit/1e0d1d1 https://github.com/revive-adserver/revive-adserver/commit/f5eef75 https://cwe.mitre.org/data/definitions/639.html ======================================================================== Vulnerability 4: Reflected XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79] CVE-ID: CVE-2025-55124 CVSS Base Score: 6.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ======================================================================== Description -----------HackerOne community member Dang Hung Vi (vidang04) has reported a reflected XSS vulnerability in the “banner-zone.php” script since Revive Adserver 6.0.0. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
Details -------The “filterWebsite” and “filterZone” GET parameters sent to the “banner-zone.php” script were used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged in administrator into visiting the crafted URL. Most importantly, the session cookie cannot be accessed or stolen via JavaScript, so the disruption would be limited.
References ---------- https://hackerone.com/reports/3403727 https://github.com/revive-adserver/revive-adserver/commit/514bff9 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 5: Reflected XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79] CVE-ID: CVE-2025-48987 CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N ======================================================================== Description -----------HackerOne community member Ahmed Abdalkhaliq Abdulla (Lu3ky.13) has reported a reflected XSS vulnerability in the “account-preferences-plugin.php” script. An attacker can craft a specific URL that includes an HTML payload in the “group” parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
Details -------The “group” GET parameter sent to the “account-preferences-plugin.php” script is used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged in administrator into visiting the crafted URL. Most importantly, the session cookie cannot be accessed or stolen via JavaScript, so the disruption would be limited.
References ---------- https://hackerone.com/reports/3399191 https://github.com/revive-adserver/revive-adserver/commit/d45c580 https://github.com/revive-adserver/revive-adserver/commit/8bbd2f5 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 6: Information disclosure ======================================================================== Vulnerability Type: Exposure of Sensitive Information Due to Incompatible Policies [CWE-213] CVE-ID: CVE-2025-52669 CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N ======================================================================== Description -----------HackerOne community member Dao Hoang Anh (yoyomiski) has reported an information disclosure vulnerability in the user management system of Revive Adserver. Non administrator users can exploit the user management system to get the email address and contact name of other users in the system by typing in their usernames.
Details -------The Revive Adserver user management system allows to link multiple users to the account entities on the system. When adding a new user, if the username already exists on the system, Revive Adserver would display the information on record to allow the operator to verify they are adding the user they intended to. The functionality could be exploited to access email addresses and contact names of other users on the system. In order to avoid this level of information disclosure it has been decided to disallow adding existing users to account entities, unless the operation is performed by an administrator.
References ---------- https://hackerone.com/reports/3401464 https://github.com/revive-adserver/revive-adserver/commit/dbfc051 https://github.com/revive-adserver/revive-adserver/commit/2bd0a88 https://cwe.mitre.org/data/definitions/213.html ======================================================================== Vulnerability 7: Information disclosure ======================================================================== Vulnerability Type: Generation of Error Message Containing Sensitive Information [CWE-209] CVE-ID: CVE-2025-52671 CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N ======================================================================== Description -----------HackerOne community member Dao Hoang Anh (yoyomiski) has reported an information disclosure vulnerability in the error message displayed by Revive Adserver when an SQL error is encountered, which displayed software and database versions to non-administrator users as well.
Details -------The Revive Adserver SQL error message historically contained sensitive information that could be useful to replicate and debug the issue, i.e. software version, PHP version and database type and version and the SQL query. In order to avoid non-essential disclosure, such information is now only displayed to administrator users.
References ---------- https://hackerone.com/reports/3403450 https://github.com/revive-adserver/revive-adserver/commit/8f17558 https://github.com/revive-adserver/revive-adserver/commit/1348712 https://cwe.mitre.org/data/definitions/209.html ======================================================================== Vulnerability 8: Stored XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79] CVE-ID: CVE-2025-52667 CVSS Base Score: 3.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N ======================================================================== Description -----------HackerOne community member Ahmed Abdalkhaliq Abdulla (Lu3ky.13) has reported a stored XSS vulnerability in the “inventory-retrieve.php” script, with campaign names being the vector for the stored XSS.
Details -------The “inventory-retrieve.php” script is used via AJAX to load JSON information by some UI components. The script was not sending the appropriate “Content-Type: application/json” header and by default its output would be interpreted as HTML by the browsers when loaded directly. A manager user could craft campaign names to cause the script to execute malicious JS code when invoked with parameters. Successful exploitation requires an attacker to trick a logged in administrator into visiting such URL. Most importantly, the session cookie cannot be accessed or stolen via JavaScript, so the disruption would be limited.
References ---------- https://hackerone.com/reports/3399809 https://github.com/revive-adserver/revive-adserver/commit/a46267a https://github.com/revive-adserver/revive-adserver/commit/91c662c https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 9: Stored XSS ======================================================================== Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79] CVE-ID: CVE-2025-55123 CVSS Base Score: 3.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N ======================================================================== Description -----------HackerOne community member Dao Hoang Anh (yoyomiski) has reported stored XSS vulnerability in the “banner-edit.php” script. A manger user can insert HTML/JS payload and have it executed when one of its advertiser users visit the banner edit page for that specific banner.
Details -------The banner name was displayed as read-only HTML to advertiser users in the banner edit page. Such HTML was however displayed without proper neutralisation, allowing XSS attacks. The risk of the vulnerability is low as the target is a user with a lower level of access than the attacker.
References ---------- https://hackerone.com/reports/3404968 https://github.com/revive-adserver/revive-adserver/commit/b45618b https://github.com/revive-adserver/revive-adserver/commit/a3ce0c3 https://cwe.mitre.org/data/definitions/79.html ======================================================================== Vulnerability 10: Format string injection ======================================================================== Vulnerability Type: Use of Externally-Controlled Format String [CWE-134] CVE-ID: CVE-2025-52666 CVSS Base Score: 2.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L ======================================================================== Description -----------HackerOne community member Ahmed Abdalkhaliq Abdulla (Lu3ky.13) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error.
Details -------The Revive Adserver settings stored in the configuration file are also transformed into parameters for the Symfony Dependency Injection container. Such parameters allow environment variables or other parameters to be referenced (e.g. “%kernel.cache_dir%/foo/bar”). When initialising the container parameters, the “%” character was not properly escaped and it was possible to generate a PHP fatal error when a referenced parameter is not found. Only administrators are allowed to change settings, so, in normal circumstances, the disruption would be limited.
References ---------- https://hackerone.com/reports/3399218 https://github.com/revive-adserver/revive-adserver/commit/ac23ace https://github.com/revive-adserver/revive-adserver/commit/bd367d2 https://cwe.mitre.org/data/definitions/134.html ======================================================================== Solution ========================================================================We recommend updating to the most recent 5.5.3 or 6.0.2 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory.
======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/
Attachment:
OpenPGP_0x819BAF32F410D901.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [REVIVE-SA-2025-003] Revive Adserver Vulnerabilities Matteo Beccati (Nov 19)
文章来源: https://seclists.org/fulldisclosure/2025/Nov/20
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh