Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[REVIVE-SA-2026-001] Revive Adserver Vulnerabilities

From: Matteo Beccati <php () beccati com>
Date: Wed, 14 Jan 2026 13:39:23 +0100
========================================================================
Revive Adserver Security Advisory                     REVIVE-SA-2026-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2026-001
------------------------------------------------------------------------
Date:                  2026-01-14
Risk Level:            High
Applications affected: Revive Adserver
Versions affected:     <= 6.0.4
Versions not affected: >= 6.0.5
Website:               https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability 1: Format string injection
========================================================================
Vulnerability Type:    Use of Externally-Controlled Format String
                       [CWE-134]
CVE-ID:                CVE-2026-21640
Risk level:            Low
CVSS Base Score:       2.7
CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
========================================================================

Description
-----------
HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. 

Details
-------
The Revive Adserver settings are stored using INI files, which support variable interpolation. Using certain character sequences, such as '${{' in a setting was causing a PHP fatal error when reading back the configuration, due to inadequate escaping in the INI file writing classes from the PEAR_Config package. Only administrators are allowed to change settings, so, in normal circumstances, the disruption would be limited. 

References
----------
https://hackerone.com/reports/3445332
https://github.com/revive-adserver/revive-adserver/commit/c40187d8
https://cwe.mitre.org/data/definitions/134.html


========================================================================
Vulnerability 2: Authorization Bypass
========================================================================
Vulnerability Type:    Authorization Bypass Through User-Controlled Key
                       [CWE-639]
CVE-ID:                CVE-2026-21641
Risk level:            High
CVSS Base Score:       7.1
CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
========================================================================

Description
-----------
HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the 'tracker-delete.php' script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts. 

Details
-------
The Revive Adserver 'tracker-delete.php' script was not properly checking ownership of the 'clientid' parameter before deleting the resource. That allows several types of malicious attacks and highly affects the data integrity of the affected system. 

References
----------
https://hackerone.com/reports/3445710
https://github.com/revive-adserver/revive-adserver/commit/f6059335
https://cwe.mitre.org/data/definitions/639.html


========================================================================
Vulnerability 3: Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID:                CVE-2026-21642
Risk level:            Medium
CVSS Base Score:       6.1
CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
========================================================================

Description
-----------
HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the ’banner-acl.php’ and ’channel-acl.php’ scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged-in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 

Details
-------
The ’acls[0][executionorder]’ request parameter sent to the ’banner-acl.php’ or ’channel-acl.php’ scripts were used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged-in user into visiting the crafted URL. 

References
----------
https://hackerone.com/reports/3470970
https://github.com/revive-adserver/revive-adserver/commit/e245a88
https://github.com/revive-adserver/revive-adserver/commit/0ebc96d
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Vulnerability 4: Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID:                CVE-2026-21663
Risk level:            Medium
CVSS Base Score:       6.1
CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
========================================================================

Description
-----------
HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the 'banner-acl.php' script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged-in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 

Details
-------
The ’cap’, ’session_capping’ and ’time’ request parameters sent to the ’banner-acl.php’ script were used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged-in user into visiting the crafted URL. 

References
----------
https://hackerone.com/reports/3473696
https://github.com/revive-adserver/revive-adserver/commit/c130eb0
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Vulnerability 5: Reflected XSS
========================================================================
Vulnerability Type:    Improper Neutralization of Input During Web Page
                       Generation (‘Cross-site Scripting’) [CWE-79]
CVE-ID:                CVE-2026-21664
Risk level:            Medium
CVSS Base Score:       6.1
CVSS Vector:           CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
========================================================================

Description
-----------
HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the 'afr.php' delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged-in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. 

Details
-------
The 'target' GET parameter sent to the 'afr.php' script was used in the output without proper sanitisation, allowing an attacker to craft specific URLs and have payloads output in the HTML, JS, and/or CSS context. Successful exploitation requires an attacker to trick a logged-in user into visiting the crafted URL. What the attacker can do depends on various factors, such as the configuration file being locked and/or if the admin domain is different from the delivery domain. 

References
----------
https://hackerone.com/reports/3468169
https://github.com/revive-adserver/revive-adserver/commit/e88e9ed
https://github.com/revive-adserver/revive-adserver/commit/7a99f69
https://cwe.mitre.org/data/definitions/79.html


========================================================================
Solution
========================================================================
We recommend updating to the most recent 6.0.5 version of Revive Adserver, or whatever happens to be the current release at the time of reading this security advisory. 


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.
Please review https://www.revive-adserver.com/security/ before doing so. We only accept security reports through HackerOne. 


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: