cbcvebase.
CVE-2020-8115
published 2020-02-04

CVE-2020-8115: A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.05%
93.4th percentile
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.

Affected

3 ranges
VendorProductVersion rangeFixed in
httpsgithub.com_revive-adserver_revive-adserver
revive-adserverrevive_adserver< 5.1.05.1.0
revive-adserverrevive_adserver<= 5.0.3

Detection & IOCsextracted from sources · hover to see the quote

path/www/delivery/afr.php
url{{BaseURL}}/www/delivery/afr.php?refresh=10000&")',10000000);alert(1337);setTimeout('alert("
yara
regex: (?mi)window\.location\.replace\(".*alert\(1337\)
  • The vulnerable endpoint is the publicly accessible afr.php delivery script at path /www/delivery/afr.php. Monitor GET requests to this path where the query string contains JavaScript payloads (e.g., alert, setTimeout) or unencoded special characters such as quotes and parentheses.
  • Detect exploitation attempts by matching HTTP response bodies for the pattern window.location.replace( containing injected JavaScript, while confirming absence of window.location.href.indexOf (which indicates a patched/safe response).
  • Use Shodan query http.title:"revive adserver" or favicon hash 106844876 to identify exposed Revive Adserver instances for proactive scanning.
  • In older versions (pre-3.2.2), successful exploitation can lead to session identifier theft; as of 3.2.2 the session identifier is stored in an http-only cookie, so monitor for non-http-only session cookies on Revive Adserver deployments.
  • ·The XSS vulnerability in afr.php was partially mitigated in modern browsers (automatic URL encoding), but older browsers such as IE10 that do not automatically URL-encode parameters remain vulnerable even after the original CVE-2020-8115 fix, tracked separately as CVE-2021-22872.
  • ·The Nuclei template targets Revive Adserver versions up to and including 5.0.3. Ensure detection rules are scoped to this version range to avoid false positives on patched (5.1.0+) instances.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.