CVE-2021-22873
published 2021-01-26CVE-2021-22873: Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such…
PriorityP276medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.14%
99.2th percentile
Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| https | github.com_revive-adserver_revive-adserver | — | — |
| revive-adserver | revive_adserver | < 5.1.0 | 5.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to delivery scripts (lg.php, ck.php) under common Revive Adserver install paths with open redirect parameters: dest, oadest, or ct0 ↗
- →Fingerprint Revive Adserver instances via Shodan/FOFA using favicon hash 106844876 or page title 'revive adserver' to identify exposed targets
- →Common Revive Adserver install sub-paths to probe: /ads/, /adserve/, /adserver/, /openx/, /revive/, and root /www/delivery/
- ·The vulnerability affects Revive Adserver versions before 5.1.0 only; instances running 5.1.0 or later have the open redirect functionality removed ↗
- ·The open redirect was previously intentional design for third-party ad server click tracking; detections must account for legitimate historical use in older deployments ↗
- ·The Nuclei template uses stop-at-first-match and follows up to 2 redirects; detection logic should allow for redirect chaining when validating exploitation
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8rwp-72pf-cq9g: Revive Adserver before 5
ghsa_unreviewed·2022-05-24
CVE-2021-22873 [MEDIUM] CWE-601 GHSA-8rwp-72pf-cq9g: Revive Adserver before 5
Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.
VulnCheck
revive-adserver revive_adserver URL Redirection to Untrusted Site ('Open Redirect')
vulncheck·2021·CVSS 6.1
CVE-2021-22873 [MEDIUM] revive-adserver revive_adserver URL Redirection to Untrusted Site ('Open Redirect')
revive-adserver revive_adserver URL Redirection to Untrusted Site ('Open Redirect')
Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.
Affected: revive-adserver revive_adserver
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.catonetworks
No detection rules found.
Nuclei
Revive Adserver <5.1.0 - Open Redirect
nuclei·CVSS 6.1
CVE-2021-22873 [MEDIUM] Revive Adserver <5.1.0 - Open Redirect
Revive Adserver <5.1.0 - Open Redirect
Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2021-22873
info:
name: Revive Adserver <5.1.0 - Open Redirect
author: pudsec
severity: medium
description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
Successful exploitat
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.htmlhttp://seclists.org/fulldisclosure/2021/Jan/60https://github.com/revive-adserver/revive-adserver/issues/1068https://hackerone.com/reports/1081406https://www.revive-adserver.com/security/revive-sa-2021-001/http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.htmlhttp://seclists.org/fulldisclosure/2021/Jan/60https://github.com/revive-adserver/revive-adserver/issues/1068https://hackerone.com/reports/1081406https://www.revive-adserver.com/security/revive-sa-2021-001/
2021-01-26
Published
Exploited in the wild