This page lists publicly disclosed CVE vulnerabilities affecting revive-adserver revive_adserver (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-53931 | Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute arbitrary JavaScript when an admin views the page. | [email protected] | 5.1 | 0.03% | 2025-12-17 | 2025-12-27 |
| CVE-2025-55124 | Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script. | [email protected] | 6.1 | 0.03% | 2025-11-20 | 2025-11-26 |
| CVE-2025-55123 | Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users. | [email protected] | 5.4 | 0.03% | 2025-11-20 | 2025-12-05 |
| CVE-2025-52671 | Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP and database versions currently in use. | [email protected] | 4.3 | 0.03% | 2025-11-20 | 2025-12-02 |
| CVE-2025-52670 | Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts | [email protected] | 6.5 | 0.04% | 2025-11-20 | 2025-12-02 |
| CVE-2025-52669 | Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system. | [email protected] | 4.3 | 0.03% | 2025-11-20 | 2025-12-02 |
| CVE-2025-52668 | Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack. | [email protected] | 5.4 | 0.03% | 2025-11-20 | 2025-12-02 |
| CVE-2025-52667 | Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user. | [email protected] | 5.4 | 0.03% | 2025-11-20 | 2025-12-02 |
| CVE-2025-52666 | Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an administrator user to disable the admin user console due to a fatal PHP error. | [email protected] | 2.7 | 0.06% | 2025-11-20 | 2025-12-02 |
| CVE-2025-48987 | Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack. | [email protected] | 6.1 | 0.04% | 2025-11-20 | 2025-11-25 |
| CVE-2025-48986 | Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality. | [email protected] | 8.8 | 0.02% | 2025-11-20 | 2025-11-25 |
| CVE-2025-52664 | SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by logged in users | [email protected] | 8.8 | 0.03% | 2025-10-31 | 2025-12-01 |
| CVE-2025-27208 | A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim's browser. The session cookie cannot be accessed, but a number of other operations could be performed. The vulnerability is present in the admin-search.php file and can be exploited vi | [email protected] | 6.1 | 0.03% | 2025-10-31 | 2025-12-01 |
| CVE-2023-38040 | A reflected XSS vulnerability exists in Revive Adserver 5.4.1 and earlier versions.. | [email protected] | 6.1 | 8.59% | 2023-09-17 | 2024-11-21 |
| CVE-2021-22948 | Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqid() PHP function. Under some circumstances, an attacker could theoretically be able to brute force session IDs in order to take over a specific account. | [email protected] | 7.1 | 0.37% | 2021-09-23 | 2024-11-21 |
| CVE-2021-22889 | Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.php (and possibly other scripts) due to single quotes not being escaped. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code. | [email protected] | 6.1 | 0.90% | 2021-03-25 | 2024-11-21 |
| CVE-2021-22888 | Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `status` parameter of campaign-zone-zones.php. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code. | [email protected] | 6.1 | 0.90% | 2021-03-25 | 2024-11-21 |
| CVE-2021-22875 | Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in stats.php via the `setPerPage` parameter. | [email protected] | 6.1 | 0.78% | 2021-01-28 | 2024-11-21 |
| CVE-2021-22874 | Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the `period_preset` parameter. | [email protected] | 6.1 | 0.78% | 2021-01-28 | 2024-11-21 |
| CVE-2021-22873 | Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability. | [email protected] | 6.1 | 48.32% | 2021-01-26 | 2024-11-21 |