CVE-2016-9126

Summary

Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames are not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account.

Affected Software

VendorProductVersion RangeStatus
n/aRevive Adserver All versions before 3.2.3Revive Adserver All versions before 3.2.3affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

ADP Enrichment

CVE Program Container

Additional References

References