CVE-2021-22889

Name of the Vulnerable Software and Affected Versions Revive Adserver versions prior to 5.2.0

Description The issue is related to a reflected XSS vulnerability due to single quotes not being escaped in the statsBreakdown parameter of stats.php, and possibly other scripts. An attacker could trick a user into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code.

Recommendations For versions prior to 5.2.0, update to version 5.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the stats.php script and avoiding the use of the statsBreakdown parameter until a patch is applied.