Description

Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The website name wasn't properly escaped when displayed in the campaign-zone.php script.

Remediation

References

CVE-2016-9130

Related Vulnerabilities

Drupal Core 8.x Multiple Security Bypass Vulnerabilities (8.0.0 - 8.3.6)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-35626)

IBM WebSEAL Improper Certificate Validation Vulnerability (CVE-2019-4150)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-37909)

GlassFish CVE-2017-10393 Vulnerability (CVE-2017-10393)

Severity

Medium

Classification

CVE-2016-9130 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities