Impact
A missing sanitisation of the clientid parameter in zone‑include.php of Revive Adserver allows a low‑privileged user to inject SQL code, resulting in a blind SQL injection. This flaw can compromise the confidentiality and integrity of the database contents. The CVSS score of 8.3 reflects a high severity, although no public exploits have been reported and the vulnerability is not listed in CISA’s KEV catalog.
Affected Systems
Revive Adserver versions 6.0.6 and all earlier releases are affected. The flaw exists in the zone‑include.php script, which processes user supplied clientid values without proper validation.
Risk and Exploitability
The attack vector is a web‑based request to zone‑include.php where the attacker controls the clientid field. Because the injection is blind, exploitation requires inferring results via side‑channels such as timing or error messages. The high CVSS score indicates significant potential impact, but the lack of known exploits and KEV listing suggests a lower likelihood of widespread activity at this time.
OpenCVE Enrichment