CVE-2016-9128

Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to steal the session ID of an authenticated user, by tricking them into visiting a specifically crafted URL.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
VendorProductVersion
revive-adserverrevive_adserver
𝑥
≤ 3.2.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/revive-adserver/revive-adserver/commit/a323fd626627e8d42819fd5b7e2829196b5c54a3
https://github.com/revive-adserver/revive-adserver/commit/e17a7ec3412ded751cda50b82338de471d656d74
https://hackerone.com/reports/99004
https://www.revive-adserver.com/security/revive-sa-2016-001/
https://github.com/revive-adserver/revive-adserver/commit/a323fd626627e8d42819fd5b7e2829196b5c54a3
https://github.com/revive-adserver/revive-adserver/commit/e17a7ec3412ded751cda50b82338de471d656d74
https://hackerone.com/reports/99004
https://www.revive-adserver.com/security/revive-sa-2016-001/