Revive Adserver Stored Cross-Site Scripting Vulnerability in Conversion Statistics

A stored cross-site scripting vulnerability has been identified in Revive Adserver versions through 6.0.1, including 5.5.2. The issue arises in the stats-conversions.php script, where improper input neutralization allows advertisers to inject malicious JavaScript via tracker names. This injected script executes when an admin views the conversion report, leading to session hijacking by stealing admin session cookies.

Impact

Exploitation of this vulnerability allows low-privilege advertiser accounts to inject persistent cross-site scripting that executes in the context of an admin user. This could be used to steal session cookies or perform actions as an admin, such as creating admin accounts or modifying campaigns.

Reproduction

To reproduce this vulnerability, log in as an advertiser and create a tracker with a name that includes a JavaScript payload, such as an image tag with an 'onerror' event. After saving the tracker, generate a conversion record linked to it. Then, log in as an admin and access the conversion statistics for the advertiser. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to the latest version of Revive Adserver, as a security release is planned for November 5, 2025, to address this vulnerability.