Revive Adserver Authorization Bypass Vulnerability Allowing Email Address Changes and Account Takeover

A vulnerability in Revive Adserver versions 5.5.2, 6.0.1, and earlier, allows an authenticated attacker to bypass authorization and change the email addresses of other users, potentially leading to account takeover via the password reset functionality. The issue arises because the admin panel endpoint for user management does not require password verification before updating email addresses.

Impact

Exploiting this vulnerability allows an authenticated attacker to change the email address of an admin user or any user with similar management permissions, facilitating a complete takeover of their account.

Reproduction

To reproduce this vulnerability, log into Revive Adserver and navigate to the User Access management page. Select an admin user and intercept the request to change their email address. Remove the password requirement from the request and send it. The email address will be updated successfully. Afterward, use the Forgot Password function to reset the admin account's password and gain full access.

Remediation

Revive Adserver has acknowledged this vulnerability and will include a fix in the next scheduled bug fix release. Users are advised to update to version 5.5.3 or 6.0.2 once available.