6.1
CVSSv3

CVE-2020-8115

Published: 04/02/2020 Updated: 21/11/2024

Vulnerability Summary

Reflected XSS in Revive Adserver <= 5.0.3 Delivery Script

A reflected XSS vulnerability is found in the afr.php script of Revive Adserver version 5.0.3 and below. This is public information and was discovered by Jacopo Tediosi. There are no known exploits yet because the session identifier is safely stored in an http-only cookie from version 3.2.2. But in older versions, it's possible to steal the session identifier in certain situations. This could let someone access the admin interface. The script at www/delivery/afr.php repeats the query string without proper security checks in a JavaScript setting. This allows attackers to run any JS code on the victim's browser.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

revive-adserver revive adserver