Skip to main content

Revive Adserver CVE-2016-9124

CRITICAL
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2017-03-28 support@hackerone.com
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 28, 2017 - 02:59 cve.org
CRITICAL 9.8

DescriptionCVE.org

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.

AnalysisAI

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-307. Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress. Affected products include: Revive-Adserver Revive Adserver. Version information: before 3.2.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-5434 CRITICAL POC
9.8 May 06

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() cal

CVE-2019-5440 HIGH POC
8.1 May 28

Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver < v4.2.1 causes a potent

CVE-2013-5954 MEDIUM POC
6.8 Apr 25

Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11 and earlier allow remote attackers to hijack

CVE-2021-22948 HIGH POC
7.1 Sep 23

Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqi

CVE-2020-8142 MEDIUM POC
6.8 Apr 03

A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoa

CVE-2017-5830 CRITICAL
9.8 Mar 03

Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies relate

CVE-2023-38040 MEDIUM POC
6.1 Sep 17

A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions.. Rated medium severity (CVSS 6.1), t

CVE-2021-22889 MEDIUM POC
6.1 Mar 25

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.

CVE-2021-22888 MEDIUM POC
6.1 Mar 25

Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `status` parameter of campaign-zone-

CVE-2021-22875 MEDIUM POC
6.1 Jan 28

Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in stats.php via the `setPerPage` parameter.

CVE-2021-22874 MEDIUM POC
6.1 Jan 28

Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the `period_preset`

CVE-2021-22873 MEDIUM POC
6.1 Jan 26

Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg

Share

CVE-2016-9124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy