CVE-2020-8115

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 5.0.4

Description A reflected XSS issue has been found in the afr.php delivery script. This issue allows an attacker to execute arbitrary JS code on the victim's browser by sending a query string to the "www/delivery/afr.php" script, which is then printed back without proper escaping in a JavaScript context. On older versions, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. However, as of version 3.2.2, the session identifier is stored in an http-only cookie, making it inaccessible.

Recommendations For versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the afr.php script to minimize the risk of exploitation.