An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2019-05-06T16:53:33
Updated: 2024-08-04T19:54:53.553Z
Reserved: 2019-01-04T00:00:00
Link: CVE-2019-5434
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-05-06T17:29:00.730
Modified: 2024-11-21T04:44:55.693
Link: CVE-2019-5434
Redhat
No data.