PT-2017-10161 · Revive Adserver Team · Revive Adserver

Abdullah Hussam

Published

2017-03-28

Updated

2019-10-09

CVE-2016-9470

CVSS v2.0

9.3

Critical

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 3.2.5 Revive Adserver versions prior to 4.0.0

Description The issue allows attackers to gain control over a victim's machine through a Reflected File Download (RFD) web attack vector. This is achieved by virtually downloading a file from a trusted domain. The "www/delivery/asyncspc.php" endpoint was vulnerable to this attack.

Recommendations For Revive Adserver versions prior to 3.2.5, update to version 3.2.5 or later. For Revive Adserver versions prior to 4.0.0, update to version 4.0.0 or later. As a temporary workaround, consider restricting access to the "www/delivery/asyncspc.php" endpoint until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-254

Related Identifiers

CVE-2016-9470

Affected Products

Revive Adserver

PT-2017-10161 · Revive Adserver Team · Revive Adserver

CVE-2016-9470

Weakness Enumeration

Related Identifiers

Affected Products

References · 5