Adserver
CVE-2023-26756
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. NOTE: The vendor's position is that this is effectively mitigated by rate limits and password-quality features.
AnalysisAI
The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-307. The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. NOTE: The vendor's position is that this is effectively mitigated by rate limits and password-quality features. Affected products include: Revive Adserver.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for
Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec
Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S
Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J
Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa
Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the
Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent
Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or
Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag
Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to by
Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei
Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their o
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today