CVE-2020-8115 - OpenCVE

Vendors	Products
Revive-adserver	Revive Adserver

Link	Resource
https://hackerone.com/reports/775693	Exploit Patch Third Party Advisory
https://www.revive-adserver.com/security/revive-sa-2020-001/	Vendor Advisory

{"containers": {"cna": {"affected": [{"product": "https://github.com/revive-adserver/revive-adserver", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed version v5.0.4"}]}], "descriptions": [{"lang": "en", "value": "A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS) - Reflected (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-04T19:08:57", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/775693"}, {"tags": ["x_refsource_MISC"], "url": "https://www.revive-adserver.com/security/revive-sa-2020-001/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8115", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/revive-adserver/revive-adserver", "version": {"version_data": [{"version_value": "Fixed version v5.0.4"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/775693", "refsource": "MISC", "url": "https://hackerone.com/reports/775693"}, {"name": "https://www.revive-adserver.com/security/revive-sa-2020-001/", "refsource": "MISC", "url": "https://www.revive-adserver.com/security/revive-sa-2020-001/"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8115", "datePublished": "2020-02-04T19:08:57", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2020-02-04T19:08:57", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "76B2099E-A9EA-4106-B234-460E5A9F43D6", "versionEndIncluding": "5.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de tipo XSS reflejado en el script de entrega afr.php de acceso p\u00fablico de Revive Adserver versiones anteriores e incluyendo a la 5.0.3 de Jacopo Tediosi. Actualmente no existen explotaciones conocidas: el identificador de sesi\u00f3n no puede ser accedido ya que est\u00e1 almacenado en una cookie solo http a partir de la versi\u00f3n v3.2.2. Sin embargo, en versiones anteriores, en circunstancias espec\u00edficas, podr\u00eda ser posible robar el identificador de sesi\u00f3n y conseguir acceso a la interfaz de administraci\u00f3n. La cadena de consulta enviada en el script www/delivery/afr.php fue impresa sin escapar apropiadamente en un contexto JavaScript, permitiendo a un atacante ejecutar c\u00f3digo JS arbitrario en el navegador de la v\u00edctima."}], "id": "CVE-2020-8115", "lastModified": "2020-02-11T13:40:18.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T20:15:13.213", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://hackerone.com/reports/775693"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://www.revive-adserver.com/security/revive-sa-2020-001/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "support@hackerone.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

JSON object

JSON object

JSON object