CVE-2021-22889: XSS
First published: Thu Mar 25 2021(Updated: )
Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.php (and possibly other scripts) due to single quotes not being escaped. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Revive-adserver Revive Adserver | <5.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-22889?
CVE-2021-22889 is a reflected XSS vulnerability in Revive Adserver before v5.2.0.
How does CVE-2021-22889 affect Revive Adserver?
CVE-2021-22889 allows an attacker to execute malicious scripts by tricking a user with access to Revive Adserver's user interface into clicking a specially crafted link.
What is the severity of CVE-2021-22889?
The severity of CVE-2021-22889 is medium, with a CVSS score of 6.1.
How can I fix CVE-2021-22889?
To fix CVE-2021-22889, upgrade Revive Adserver to version 5.2.0 or later.
Where can I find more information about CVE-2021-22889?
You can find more information about CVE-2021-22889 at the following references: [GitHub](https://github.com/revive-adserver/revive-adserver/commit/2f868414), [HackerOne](https://hackerone.com/reports/1097217), and [Revive Adserver Security Advisory](https://www.revive-adserver.com/security/revive-sa-2021-003/).
- collector/nvd-index
- agent/weakness
- vendor/revive-adserver
- canonical/revive-adserver revive adserver