[REVIVE-SA-2026-002] Revive Adserver Vulnerabilities
Full Disclosuremailing list archivesFrom: Matteo Beccati <php () beccati com>D 2026-6-5 00:16:1 Author: seclists.org(查看原文) 阅读量:12 收藏
Full Disclosuremailing list archivesFrom: Matteo Beccati <php () beccati com>D 2026-6-5 00:16:1 Author: seclists.org(查看原文) 阅读量:12 收藏
Full Disclosure mailing list archives
From: Matteo Beccati <php () beccati com>
Date: Wed, 3 Jun 2026 15:43:47 +0200
======================================================================== Revive Adserver Security Advisory REVIVE-SA-2026-002 ------------------------------------------------------------------------ https://www.revive-adserver.com/security/revive-sa-2026-002 ------------------------------------------------------------------------ Date: 2026-06-03 Risk Level: Medium to High Applications affected: Revive Adserver Versions affected: <= 6.0.6 Versions not affected: >= 6.0.7 Website: https://www.revive-adserver.com/ ======================================================================== ======================================================================== 1. Improper Access Control ======================================================================== Vulnerability Type: CWE-284: Improper Access Control CVE-ID: CVE-2026-34912 Risk level: Medium CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ======================================================================== Description -----------HackerOne community member Ahmed Ghadban (DarkyOS) has reported that proper access control is missing when linking banners or campaigns to a zone through the ‘zone-include.php` script of Revive Adserver 6.0.6 and earlier, or via its API. A low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships.
Resolution ----------Same‑manager ownership of banners and campaigns is now verified when the link is added.
References ---------- https://hackerone.com/reports/3650504 https://github.com/revive-adserver/revive-adserver/commit/e1c9b8478 https://cwe.mitre.org/data/definitions/284.html ======================================================================== 2. Improper Access Control ======================================================================== Vulnerability Type: CWE-284: Improper Access Control CVE-ID: CVE-2026-34913 Risk level: Medium CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ======================================================================== Description -----------HackerOne community member Ahmed Ghadban (DarkyOS) has reported a missing access control check when linking trackers to campaigns through the `campaign-trackers.php` script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership
relationships. Resolution ----------Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.
References ---------- https://hackerone.com/reports/3650582 https://github.com/revive-adserver/revive-adserver/commit/f1b5e8504 https://cwe.mitre.org/data/definitions/284.html ======================================================================== 3. Blind SQL Injection ======================================================================== Vulnerability Type: CWE-89: SQL Injection CVE-ID: CVE-2026-34914 Risk level: High CVSS Base Score: 8.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H ======================================================================== Description -----------HackerOne community member Kaushalendra Dubey (titanrain) has reported a missing sanitisation of user input in the `zone-include.php` script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the `clientid` parameter to perform blind SQL injection attacks.
Resolution ----------Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated.
References ---------- https://hackerone.com/reports/3653196 https://github.com/revive-adserver/revive-adserver/commit/b541d1d05 https://cwe.mitre.org/data/definitions/89.html ======================================================================== 4. Reflected XSS ======================================================================== Vulnerability Type: CWE-79: Cross-site Scripting CVE-ID: CVE-2026-34915 Risk level: Medium CVSS Base Score: 6.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ======================================================================== Description -----------HackerOne community member Kaushalendra Dubey (titanrain) has reported a missing sanitisation of user input in the `zone-include.php` script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the `clientid` parameter to perform reflected XSS attacks.
Resolution ----------Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated.
References ---------- https://hackerone.com/reports/3653316 https://github.com/revive-adserver/revive-adserver/commit/b541d1d05 https://cwe.mitre.org/data/definitions/79.html ======================================================================== 5. Remote Code Execution ======================================================================== Vulnerability Type: CWE-94: Code Injection CVE-ID: CVE-2026-34916 Risk level: High CVSS Base Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ======================================================================== Description -----------HackerOne community member 0x4c616e has reported a missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could use the logical parameter to inject malicious PHP code into the `compiledlimitations` field, which would then be executed during banner delivery.
Resolution ----------Input sanitisation has been improved to ensure that the parameter is properly validated.
References ---------- https://hackerone.com/reports/3656781 https://github.com/revive-adserver/revive-adserver/commit/de3525e12 https://cwe.mitre.org/data/definitions/94.html ======================================================================== 6. Improper Authentication ======================================================================== Vulnerability Type: CWE-287: Improper Authentication CVE-ID: CVE-2026-34917 Risk level: Medium CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N ======================================================================== Description -----------HackerOne community member 0x4c616e has reported that low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities.
Resolution ----------The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.
References ---------- https://hackerone.com/reports/3672641 https://github.com/revive-adserver/revive-adserver/commit/50c7dd3ba https://cwe.mitre.org/data/definitions/287.html ======================================================================== 7. Stored XSS ======================================================================== Vulnerability Type: CWE-79: Cross-site Scripting CVE-ID: CVE-2026-44956 Risk level: Medium CVSS Base Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N ======================================================================== Description -----------HackerOne community member barcrange (3l4) has reported that low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the `details` field of the `userlog` table. An admin user viewing the email content through `userlog-details.php` would have any malicious JavaScript payload executed due to missing output sanitisation.
Resolution ---------- Proper escaping has been added to the userlog details output. References ---------- https://hackerone.com/reports/3669623 https://github.com/revive-adserver/revive-adserver/commit/6254115b7 https://cwe.mitre.org/data/definitions/79.html ======================================================================== 8. Improper Access Control ======================================================================== Vulnerability Type: CWE-284: Improper Access Control CVE-ID: CVE-2026-44957 Risk level: Medium CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ======================================================================== Description -----------HackerOne community member barcrange (3l4) has reported a missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users.
Resolution ----------Access control checks have been added to validate access to parent entities in the API modify methods.
References ---------- https://hackerone.com/reports/3677576 https://github.com/revive-adserver/revive-adserver/commit/5860e2f86 https://cwe.mitre.org/data/definitions/284.html ======================================================================== 9. Improper Access Control ======================================================================== Vulnerability Type: CWE-284: Improper Access Control CVE-ID: CVE-2026-44958 Risk level: Medium CVSS Base Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ======================================================================== Description -----------HackerOne community member V3rtical has reported an access control bypass allowing an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The `banner-edit.php` script allowed the banner status to be overwritten solely based on banner edit permissions.
Resolution ----------The status field has been removed from the hidden form fields in the banner edit screen.
References ---------- https://hackerone.com/reports/3678828 https://github.com/revive-adserver/revive-adserver/commit/2af365841 https://cwe.mitre.org/data/definitions/284.html ======================================================================== 10. Remote Code Execution ======================================================================== Vulnerability Type: CWE-94: Code Injection CVE-ID: CVE-2026-44959 Risk level: High CVSS Base Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ======================================================================== Description -----------HackerOne community member rajib_mahmud has reported a missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the `compiledlimitations` field, which would then be executed during banner delivery.
Resolution ----------Input sanitisation has been improved to ensure that unexpected parameters are filtered out.
References ---------- https://hackerone.com/reports/3744200 https://github.com/revive-adserver/revive-adserver/commit/6c6161420 https://cwe.mitre.org/data/definitions/94.html ======================================================================== 11. Stored XSS ======================================================================== Vulnerability Type: CWE-79: Cross-site Scripting CVE-ID: CVE-2026-44960 Risk level: Medium CVSS Base Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N ------------------------------------------------------------------------ Description -----------HackerOne community member barcrange (3l4) has reported that usernames could be used as a vector for a stored XSS attack. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in
the username would be executed due to missing output sanitisation. Resolution ---------- Proper escaping has been added to the audit log details output. References ---------- https://hackerone.com/reports/3680090 https://github.com/revive-adserver/revive-adserver/commit/27bb9a8f5 https://cwe.mitre.org/data/definitions/79.html ======================================================================== 12. Incomplete List of Disallowed Inputs ======================================================================== Vulnerability Type: CWE-184: Incomplete List of Disallowed Inputs CVE-ID: CVE-2026-44961 Risk level: Medium CVSS Base Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N ------------------------------------------------------------------------ Description ----------- HackerOne community member barcrange (3l4) has reported that the XML‑RPC API`addUser` method was bypassing the validation rules introduced in the fix for
CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Resolution ---------- Proper validation has been added where it was missing. References ---------- https://hackerone.com/reports/3680090 https://github.com/revive-adserver/revive-adserver/commit/229cf361b https://cwe.mitre.org/data/definitions/184.html ======================================================================== Solution ========================================================================We recommend updating to the most recent 6.0.7 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory.
======================================================================== Contact Information ======================================================================== The security contact for Revive Adserver can be reached at: <security AT revive-adserver DOT com>. Please review https://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team https://www.revive-adserver.com/
Attachment:
OpenPGP_0x819BAF32F410D901.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- [REVIVE-SA-2026-002] Revive Adserver Vulnerabilities Matteo Beccati (Jun 04)
文章来源: https://seclists.org/fulldisclosure/2026/Jun/0
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh