Description
HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
Published: 2026-01-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting allowing arbitrary script execution in an administrator’s browser session
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a reflected XSS flaw discovered in the banner-acl.php and channel-acl.php scripts of Revive Adserver. An attacker can embed hostile HTML or JavaScript in a parameter of a specially crafted URL. When a logged‑in administrator opens that URL, the server echoes the payload back to the browser and the malicious script runs with the administrator’s privileges.

Affected Systems

Revive:Revive Adserver. No specific version information is available, so any deployed instance that includes the banner-acl.php and channel-acl.php modules is potentially affected until a fix is applied.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity level, while the EPSS score of less than 1% points to a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivering the crafted URL to a legitimate administrator and convincing them to visit it; the attack would run only in the context of the administrator’s session.

Generated by OpenCVE AI on April 18, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Revive Adserver to the latest release once the security patch becomes available
  • Modify banner‑acl.php and channel‑acl.php to escape or validate all user‑supplied parameters before inclusion in output
  • Implement a strong Content Security Policy that blocks the execution of inline scripts and limits script sources

Generated by OpenCVE AI on April 18, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://hackerone.com/reports/3470970 cve-icon cve-icon
History

Sat, 18 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in Revive Adserver Administrator Scripts

Fri, 30 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aquaplatform
Aquaplatform revive Adserver
CPEs cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:*
Vendors & Products Aquaplatform
Aquaplatform revive Adserver

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Tue, 20 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
References
Metrics cvssV3_0

{'score': 6.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Aquaplatform Revive Adserver
Revive Adserver
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-01-21T20:47:21.691Z

Reserved: 2026-01-01T15:00:02.340Z

Link: CVE-2026-21642

cve-icon Vulnrichment

Updated: 2026-01-21T20:47:15.102Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T21:16:06.310

Modified: 2026-01-30T20:14:51.447

Link: CVE-2026-21642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses