CVE-2016-9128

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 3.2.3

Description The issue is related to reflected XSS, where the affiliate-preview.php script in the www/admin directory is vulnerable to a reflected XSS attack. This could allow an attacker to steal the session ID of an authenticated user by tricking them into visiting a specifically crafted URL, such as "/admin/affiliate-preview.php" with malicious parameters, for example, username or password.

Recommendations For versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the affiliate-preview.php script in the www/admin directory until a patch is available. Avoid using the vulnerable script with untrusted input until the issue is resolved.