Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[REVIVE-SA-2025-001] Revive Adserver Vulnerability

From: Matteo Beccati <matteo () beccati com>
Date: Wed, 22 Oct 2025 12:04:43 +0200
========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2025-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2025-001
------------------------------------------------------------------------
CVE-ID:                CVE-2025-27208
Date:                  2025-10-22
Risk Level:            Very low
Applications affected: Revive Adserver
Versions affected:     <= 5.5.2
Versions not affected: >= 6.0.0
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability: Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation ('Cross-site Scripting')
                       [CWE-79]
CVSS Base Score:       4.3
CVSS Vector:           CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
========================================================================

Description
-----------
Jiasheng He (https://github.com/hebing123) from Qihoo 360 has reported a reflected XSS vulnerability in the admin-search.php script. An attacker can craft a specific URL that includes an HTML payload in the compact parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 


Details
-------
The "compact" GET parameter sent to the admin-search.php script is used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged in administrator into visiting the crafted URL. Most importantly, the session cookie cannot be accessed or stolen via JavaScript, so the disruption would be limited. 


References
----------
https://hackerone.com/reports/3091390
https://github.com/revive-adserver/revive-adserver/commit/0c68d1bb
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 6.0.0 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/

Attachment: OpenPGP_0x323A66AFB6C0A3D8.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: