CVE-2020-8115
published 2020-02-04CVE-2020-8115: A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are…
PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.05%
93.4th percentile
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| https | github.com_revive-adserver_revive-adserver | — | — |
| revive-adserver | revive_adserver | < 5.1.0 | 5.1.0 |
| revive-adserver | revive_adserver | <= 5.0.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/www/delivery/afr.php?refresh=10000&")',10000000);alert(1337);setTimeout('alert("
yara
regex: (?mi)window\.location\.replace\(".*alert\(1337\)- →The vulnerable endpoint is the publicly accessible afr.php delivery script at path /www/delivery/afr.php. Monitor GET requests to this path where the query string contains JavaScript payloads (e.g., alert, setTimeout) or unencoded special characters such as quotes and parentheses.
- →Detect exploitation attempts by matching HTTP response bodies for the pattern window.location.replace( containing injected JavaScript, while confirming absence of window.location.href.indexOf (which indicates a patched/safe response).
- →Use Shodan query http.title:"revive adserver" or favicon hash 106844876 to identify exposed Revive Adserver instances for proactive scanning.
- →In older versions (pre-3.2.2), successful exploitation can lead to session identifier theft; as of 3.2.2 the session identifier is stored in an http-only cookie, so monitor for non-http-only session cookies on Revive Adserver deployments.
- ·The XSS vulnerability in afr.php was partially mitigated in modern browsers (automatic URL encoding), but older browsers such as IE10 that do not automatically URL-encode parameters remain vulnerable even after the original CVE-2020-8115 fix, tracked separately as CVE-2021-22872. ↗
- ·The Nuclei template targets Revive Adserver versions up to and including 5.0.3. Ensure detection rules are scoped to this version range to avoid false positives on patched (5.1.0+) instances.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xqrq-qgmp-x7x4: Revive Adserver before 5
ghsa_unreviewed·2022-05-24·CVSS 6.1
CVE-2021-22872 [MEDIUM] CWE-79 GHSA-xqrq-qgmp-x7x4: Revive Adserver before 5
Revive Adserver before 5.1.0 is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php delivery script. While this issue was previously addressed in modern browsers as CVE-2020-8115, some older browsers (e.g., IE10) that do not automatically URL encode parameters were still vulnerable.
GHSA
GHSA-6qfg-3f8q-4rrv: A reflected XSS vulnerability has been discovered in the publicly accessible afr
ghsa_unreviewed·2022-05-24
CVE-2020-8115 [MEDIUM] GHSA-6qfg-3f8q-4rrv: A reflected XSS vulnerability has been discovered in the publicly accessible afr
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.
VulnCheck
revive-adserver revive_adserver Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-8115 [MEDIUM] revive-adserver revive_adserver Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
revive-adserver revive_adserver Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.
Affected: revive-adserver revive_adserver
Re
No detection rules found.
Nuclei
Revive Adserver <=5.0.3 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-8115 [MEDIUM] Revive Adserver <=5.0.3 - Cross-Site Scripting
Revive Adserver <=5.0.3 - Cross-Site Scripting
Revive Adserver 5.0.3 and prior contains a reflected cross-site scripting vulnerability in the publicly accessible afr.php delivery script. In older versions, it is possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script is printed back without proper escaping, allowing an attacker to execute arbitrary JavaScript code on the browser of the victim.
Template:
id: CVE-2020-8115
info:
name: Revive Adserver <=5.0.3 - Cross-Site Scripting
author: madrobot,dwisiswant0
severity: medium
description: |
Revive Adserver 5.0.3 and prior contains a reflected cross-site scripting vulnerability in the publicly accessible afr.php delivery script. In older versions, it is poss
No writeups or analysis indexed.
2020-02-04
Published
Exploited in the wild