cbcvebase.
CVE-2016-9471
published 2017-03-28

CVE-2016-9471: Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver…

PriorityP410low3.1CVSS 3.0
AVNACHPRHUIRSUCLILAN
EPSS
1.37%
68.4th percentile
Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.

Affected

2 ranges
VendorProductVersion rangeFixed in
revive-adserverrevive_adserver<= 3.2.4
revive-adserverrevive_adserver

CVSS provenance

nvdv3.03.1LOWCVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
nvdv2.02.1LOWAV:N/AC:H/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.