Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable API with PR:L (account required); bypassing admin restriction enables both read and write admin API actions, warranting I:L over the vendor's I:N.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.
AnalysisAI
Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid low-privilege account on the Revive Adserver instance (consistent with CVSS PR:L) to issue an authenticated HTTP request to the XML-RPC endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.0 score of 4.3 (Medium) with C:L/I:N/A:N likely underestimates realistic impact: bypassing an admin-only API gate plausibly enables both read and write operations on advertising campaigns, user data, and platform configuration, suggesting I:L at minimum. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged Revive Adserver user sends an ox.login XML-RPC request containing admin credentials they do not possess; the server returns an authentication-failure error but also sets a live session cookie in the HTTP response headers. The attacker extracts that Set-Cookie value, discards the error, and includes the session token in subsequent XML-RPC API calls to invoke admin-restricted methods - such as modifying ad campaigns or retrieving account data - without ever possessing the admin password. … |
| Remediation | Consult the HackerOne disclosure at https://hackerone.com/reports/3783738 for patch availability - no vendor-released fixed version has been independently confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vuln
Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for
Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec
Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S
Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J
Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa
Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the
Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent
Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or
Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag
Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei
Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their o
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39600
GHSA-q5xg-wh3x-vmcf