Johan Caluwe

**Name of the Vulnerable Software and Affected Versions** PMB versions 7.3.1 through 7.3.18 PMB versions 7.4.1 through 7.4.9 PMB versions 7.5.1 through 7.5.6-2 **Description** The issue is related to the deserialization of untrusted data, which can lead to remote code inclusion. This allows a remote attacker to execute arbitrary code. **Recommendations** For PMB versions 7.3.1 through 7.3.18, update to version 7.3.18 or later. For PMB versions 7.4.1 through 7.4.9, update to version 7.4.9 or later. For PMB versions 7.5.1 through 7.5.6-2, update to version 7.5.6-2 or later.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 3.2.3 **Description** The issue allows for persistent XSS attacks through the user interface, requiring a trusted non-admin account. A vector exists due to the improper escaping of the banner image URL for external banners when displayed on most banner-related pages. **Recommendations** For versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the banner image URL for external banners to minimize the risk of exploitation. Avoid using the banner image URL feature in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 3.2.3 **Description** The issue affects the "www/admin/stats.php" endpoint, which is vulnerable to reflected XSS attacks. This is due to multiple parameters not being properly sanitised or escaped when displayed, including `setPerPage`, `pageId`, `bannerid`, `period start`, and `period end`. **Recommendations** For versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "www/admin/stats.php" endpoint until the update is applied. Avoid using the vulnerable parameters in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 3.2.3 **Description** The issue allows for persistent XSS attacks through the user interface, requiring a trusted non-admin account. A vector exists due to the website name not being properly escaped when displayed in the campaign-zone.php script. **Recommendations** For versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the campaign-zone.php script to minimize the risk of exploitation.