Search
Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-9124 | 1 Revive-adserver | 1 Revive Adserver | 2019-10-09 | 5.0 MEDIUM | 9.8 CRITICAL |
| Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress. | |||||
| CVE-2016-9125 | 1 Revive-adserver | 1 Revive Adserver | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session. | |||||
| CVE-2016-9470 | 1 Revive-adserver | 1 Revive Adserver | 2019-10-09 | 9.3 HIGH | 9.0 CRITICAL |
| Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain. | |||||
| CVE-2017-5830 | 1 Revive-adserver | 1 Revive Adserver | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. | |||||