Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Revive-adserver Subscribe
Filtered by product Revive Adserver
Total 46 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-9470 1 Revive-adserver 1 Revive Adserver 2019-10-09 9.3 HIGH 9.0 CRITICAL
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain.
CVE-2016-9471 1 Revive-adserver 1 Revive Adserver 2019-10-09 2.1 LOW 3.1 LOW
Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.
CVE-2016-9472 1 Revive-adserver 1 Revive Adserver 2019-10-09 3.5 LOW 5.4 MEDIUM
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective.
CVE-2017-5830 1 Revive-adserver 1 Revive Adserver 2019-10-02 7.5 HIGH 9.8 CRITICAL
Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts.
CVE-2013-7149 2 Openx, Revive-adserver 2 Openx, Revive Adserver 2018-10-30 7.5 HIGH N/A
SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method.
CVE-2015-7364 1 Revive-adserver 1 Revive Adserver 2018-10-09 6.8 MEDIUM N/A
The HTML_Quickform library, as used in Revive Adserver before 3.2.2, allows remote attackers to bypass the CSRF protection mechanism via an empty token.
CVE-2015-7371 1 Revive-adserver 1 Revive Adserver 2018-10-09 5.0 MEDIUM N/A
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request.
CVE-2015-7365 1 Revive-adserver 1 Revive Adserver 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the plugin upgrade form in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of an uploaded file containing errors.
CVE-2015-7368 1 Revive-adserver 1 Revive Adserver 2018-10-09 2.1 LOW N/A
Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache.
CVE-2015-7367 1 Revive-adserver 1 Revive Adserver 2018-10-09 7.5 HIGH N/A
Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has been (1) deleted or (2) unlinked.
CVE-2015-7366 1 Revive-adserver 1 Revive Adserver 2018-10-09 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the authentication of users for requests that (1) perform certain plugin actions and possibly cause a denial of service (disabled core plugins) via unknown vectors or (2) change the contact name and language or possibly have unspecified other impact via a crafted POST request to an account-user-*.php script.
CVE-2015-7372 1 Revive-adserver 1 Revive Adserver 2018-10-09 7.5 HIGH N/A
Directory traversal vulnerability in delivery-dev/al.php in Revive Adserver before 3.2.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the layerstyle parameter.
CVE-2015-7373 1 Revive-adserver 1 Revive Adserver 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the "magic-macros" feature in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via a GET parameter, which is not properly handled in a banner.
CVE-2015-7370 1 Revive-adserver 1 Revive Adserver 2018-10-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in open-flash-chart.swf in Open Flash Chart 2, as used in the VideoAds plugin in Revive Adserver before 3.2.2 and CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026, allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) data-file parameter.
CVE-2015-7369 1 Revive-adserver 1 Revive Adserver 2018-10-09 7.5 HIGH N/A
The default Flash cross-domain policy (crossdomain.xml) in Revive Adserver before 3.2.2 does not restrict access cross domain access, which allows remote attackers to conduct cross domain attacks via unspecified vectors.
CVE-2014-8793 1 Revive-adserver 1 Revive Adserver 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in lib/max/Admin/UI/Field/PublisherIdField.php in Revive Adserver before 3.0.6 allows remote attackers to inject arbitrary web script or HTML via the refresh_page parameter to www/admin/report-generate.php.
CVE-2014-8875 1 Revive-adserver 1 Revive Adserver 2018-10-09 5.0 MEDIUM N/A
The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an XML Entity Expansion (XEE) attack.
CVE-2013-5954 2 Openx, Revive-adserver 2 Openx, Revive Adserver 2018-10-09 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11 and earlier allow remote attackers to hijack the authentication of administrators for requests that delete (1) users via admin/agency-user-unlink.php, (2) advertisers via admin/advertiser-delete.php, (3) banners via admin/banner-delete.php, (4) campaigns via admin/campaign-delete.php, (5) channels via admin/channel-delete.php, (6) affiliate websites via admin/affiliate-delete.php, or (7) zones via admin/zone-delete.php.
CVE-2016-9454 1 Revive-adserver 1 Revive Adserver 2017-03-29 3.5 LOW 5.4 MEDIUM
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The banner image URL for external banners wasn't properly escaped when displayed in most of the banner related pages.
CVE-2016-9456 1 Revive-adserver 1 Revive Adserver 2017-03-29 6.8 MEDIUM 8.8 HIGH
Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. Over 20+ such issues were fixed.