[REVIVE-SA-2025-005] Revive Adserver Vulnerability

[Matteo Beccati <php () beccati com>]

========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2025-005
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-005
------------------------------------------------------------------------
Date:                  2025-11-26
Risk Level:            Medium
Applications affected: Revive Adserver
Versions affected:     <= 6.0.3
Versions not affected: >= 6.0.4
Website:               https://www.revive-adserver.com/
========================================================================

 
========================================================================
Vulnerability: Incomplete List of Disallowed Inputs
========================================================================
Vulnerability Type:    Incomplete List of Disallowed Inputs [CWE-184]
CVE-ID:                CVE-2025-55129
Risk Level:            Medium
CVSS Base Score:       5.4
CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
========================================================================

Description
-----------
HackerOne community member Kassem S. (kassem_s94) has reported that 
username handling in Revive Adserver was still vulnerable to 
impersonation attacks after the fix for CVE-2025-52672, via several 
alternate techniques. Homoglyphs based impersonation has been 
independently reported by other HackerOne community members, such as 
itz_hari_ and khoof.

Details
-------
Username validation was historically allowing full UTF-8 usernames. That 
was supposed to be a feature, but it could be used maliciously to 
generate usernames visually identical to existing ones, using various 
techniques, such as homoglyph characters, zero-width spaces, RTL 
override, and potentially others. An attacker with user creation 
permissions could specifically craft a username and trick an 
administrator user to grant other permissions to it rather than the 
legitimate user.

Following the report, now only usernames with a limited character set 
(variant of POSIX.1-2017) are allowed.

References
----------
https://hackerone.com/reports/3434156
https://github.com/revive-adserver/revive-adserver/commit/1a4843e
https://cwe.mitre.org/data/definitions/184.html  


========================================================================
Solution
========================================================================

We recommend updating to the most recent 6.0.4 version of Revive 
Adserver, or whatever happens to be the current release at the time of 
reading this security advisory.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so. 
We only accept security reports through HackerOne.

--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/