CVE-2019-5434

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 4.2.0

Description The issue allows an attacker to send a specifically crafted payload to the XML-RPC invocation script, triggering the unserialize() call on the what parameter in the openads.spc RPC method. This could be used to perform various types of attacks, such as exploiting serialize-related PHP vulnerabilities or PHP object injection. There is an unconfirmed possibility that the vulnerability has been used by attackers to gain access to Revive Adserver instances and deliver malware to third-party websites.

Recommendations For versions prior to 4.2.0, update to version 4.2.0 to address the issue. As a temporary workaround, consider restricting access to the openads.spc RPC method until the update is applied. Avoid using the what parameter in the affected XML-RPC invocation script until the issue is resolved.