Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Low-privileged account required to inject payload (PR:L), admin must actively view log page (UI:R), execution crosses to admin privilege context (S:C), no availability impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output sanitisation. Proper escaping has been added to the userlog details output.
AnalysisAI
Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid low-privileged user account on the target Revive Adserver instance - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector supplied in the input (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) is a null placeholder - it assigns zero impact and no privilege requirement, directly contradicting the description which specifies a low-privileged user initiating the attack and an admin performing a UI interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing low-privileged Revive Adserver account and sets their Full Name to a JavaScript payload - for example, a script that POSTs the current document cookie to an attacker-controlled endpoint. The attacker then triggers any account event that generates a system email (such as a password reset), causing the email body containing the malicious name to be written to the userlog table. … |
| Remediation | Upstream fix available per HackerOne report #3669623, which confirms that proper HTML escaping was added to the userlog details output in userlog-details.php; however, the specific patched release version is not independently confirmed from available data - operators should consult the official Revive Adserver release page and the HackerOne report at https://hackerone.com/reports/3669623 to identify the exact fixed build and apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38508
GHSA-55h8-q58m-2332