CVE-2016-9471

28.03.2017, 02:59

Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.

Special Element Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.1 LOW	NETWORK	HIGH	HIGH	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
hackerone	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
revive-adserver	revive_adserver	𝑥 ≤ 3.2.4
revive-adserver	revive_adserver	4.0.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
The software does not adequately filter user-controlled input for special elements with control implications.

References

https://github.com/revive-adserver/revive-adserver/commit/05b1eceb

https://hackerone.com/reports/128181

https://www.revive-adserver.com/security/revive-sa-2016-002/

https://github.com/revive-adserver/revive-adserver/commit/05b1eceb

https://hackerone.com/reports/128181

https://www.revive-adserver.com/security/revive-sa-2016-002/