CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7371
https://notcve.org/view.php?id=CVE-2015-7371
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request. Revive Adserver en versiones anteriores a 3.2.2 no restringe adecuadamente el acceso a run-mpe.php, lo que permite a atacantes remotos ejecutar el Maintenance Priority Engine y posiblemente causar una denegación de servicio (consumo de recursos) a través de una petición directa. • http://packetstormsecurity.com/files/133893/Revive-Adserver-3.2.1-CSRF-XSS-Local-File-Inclusion.html http://seclists.org/fulldisclosure/2015/Oct/32 http://www.revive-adserver.com/security/revive-sa-2015-001 http://www.securityfocus.com/archive/1/536633/100/0/threaded • CWE-264: Permissions, Privileges, and Access Controls CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-7372
https://notcve.org/view.php?id=CVE-2015-7372
Directory traversal vulnerability in delivery-dev/al.php in Revive Adserver before 3.2.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the layerstyle parameter. Vulnerabilidad de salto de directorio en delivery-dev/al.php en Revive Adserver en versiones anteriores a 3.2.2 permite a atacantes remotos incluir y ejecutar archivos locales arbitrarios a través de un .. (punto punto) en el parámetro layerstyle. • http://packetstormsecurity.com/files/133893/Revive-Adserver-3.2.1-CSRF-XSS-Local-File-Inclusion.html http://seclists.org/fulldisclosure/2015/Oct/32 http://www.revive-adserver.com/security/revive-sa-2015-001 http://www.securityfocus.com/archive/1/536633/100/0/threaded https://github.com/revive-adserver/revive-adserver/commit/86b623f8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-7373
https://notcve.org/view.php?id=CVE-2015-7373
Cross-site scripting (XSS) vulnerability in the "magic-macros" feature in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via a GET parameter, which is not properly handled in a banner. Vulnerabilidad de XSS en la funcionalidad 'magic-macros' en Revive Adserver en versiones anteriores a 3.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un parámetro GET, que no es manejado adecuadamente en el banner. • http://packetstormsecurity.com/files/133893/Revive-Adserver-3.2.1-CSRF-XSS-Local-File-Inclusion.html http://seclists.org/fulldisclosure/2015/Oct/32 http://www.revive-adserver.com/security/revive-sa-2015-001 http://www.securityfocus.com/archive/1/536633/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9407
https://notcve.org/view.php?id=CVE-2014-9407
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) delete data via a request to agency-delete.php, (2) tracker-delete.php, or (3) userlog-delete.php in admin/ or (4) unlink accounts via a request to admin-user-unlink.php. (5) advertiser-user-unlink.php, or (6) affiliate-user-unlink.php in admin/. Diversas vulnerabilidades de CSRF en Revive Adserver anterior a 3.0.5 permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que (1) borren datos a través de una petición a agency-delete.php, (2) a tracker-delete.php o (3) a userlog-delete.php en admin/ o (4) desenlazar cuentas a través de peticiones a admin-user-unlink.php. (5) a advertiser-user-unlink.php o (6) affiliate-user-unlink.php en admin/. • http://www.revive-adserver.com/security/revive-sa-2014-001 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2014-8793 – Revive Adserver 3.0.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-8793
Cross-site scripting (XSS) vulnerability in lib/max/Admin/UI/Field/PublisherIdField.php in Revive Adserver before 3.0.6 allows remote attackers to inject arbitrary web script or HTML via the refresh_page parameter to www/admin/report-generate.php. Vulnerabilidad de XSS en lib/max/Admin/UI/Field/PublisherIdField.php en Revive Adserver anterior a 3.0.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro refresh_page hacia www/admin/report-generate.php. Revive Adserver versions 3.0.5 and below suffer from cross site scripting and denial of service vulnerabilities. • http://packetstormsecurity.com/files/129621/Revive-Adserver-3.0.5-Cross-Site-Scripting-Denial-Of-Service.html http://packetstormsecurity.com/files/129622/Revive-Adserver-3.0.5-Cross-Site-Scripting.html http://www.revive-adserver.com/security/revive-sa-2014-002 http://www.securityfocus.com/archive/1/534264/100/0/threaded http://www.securityfocus.com/archive/1/534269/100/0/threaded http://www.securityfocus.com/bid/71718 https://github.com/revive-adserver/revive-adserver/commit/2be73f9 https:&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •