CVE-2016-9126
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames are not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account.
Revive Adserver en versiones anteriores a 3.2.3 sufre de persistente XSS. Los nombres de usuario no se fugan correctamente cuando se muestran en el widget de seguimiento de auditoría del panel de control al iniciar sesión, lo que permite ataques persistentes de XSS. Un usuario autenticado con suficientes privilegios para crear otros usuarios podría explotar la vulnerabilidad para acceder a la cuenta de administrador.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-10-31 CVE Reserved
- 2017-03-28 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/revive-adserver/revive-adserver/commit/8d8c6df309ff5fde9dd4770abcd4ec5d2449b3ec | 2019-10-09 | |
| https://www.revive-adserver.com/security/revive-sa-2016-001 | 2019-10-09 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Revive-adserver Search vendor "Revive-adserver" | Revive Adserver Search vendor "Revive-adserver" for product "Revive Adserver" | <= 3.2.2 Search vendor "Revive-adserver" for product "Revive Adserver" and version " <= 3.2.2" | - |
Affected
| ||||||