cbcvebase.
CVE-2021-22873
published 2021-01-26

CVE-2021-22873: Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such…

PriorityP276medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.14%
99.2th percentile
Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
httpsgithub.com_revive-adserver_revive-adserver
revive-adserverrevive_adserver< 5.1.05.1.0

Detection & IOCsextracted from sources · hover to see the quote

path/ads/www/delivery/lg.php
path/adserve/www/delivery/lg.php
path/adserver/www/delivery/lg.php
path/openx/www/delivery/lg.php
path/revive/www/delivery/lg.php
path/www/delivery/lg.php
path/www/delivery/ck.php
  • Detect exploitation attempts by monitoring HTTP GET requests to delivery scripts (lg.php, ck.php) under common Revive Adserver install paths with open redirect parameters: dest, oadest, or ct0
  • Fingerprint Revive Adserver instances via Shodan/FOFA using favicon hash 106844876 or page title 'revive adserver' to identify exposed targets
  • Common Revive Adserver install sub-paths to probe: /ads/, /adserve/, /adserver/, /openx/, /revive/, and root /www/delivery/
  • ·The vulnerability affects Revive Adserver versions before 5.1.0 only; instances running 5.1.0 or later have the open redirect functionality removed
  • ·The open redirect was previously intentional design for third-party ad server click tracking; detections must account for legitimate historical use in older deployments
  • ·The Nuclei template uses stop-at-first-match and follows up to 2 redirects; detection logic should allow for redirect chaining when validating exploitation

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.