Impact
A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to execute blind SQL injection attacks via the clientid parameter. The flaw can be used to infer database contents or, though not explicitly stated in the description, it is commonly understood that blind SQL injection could potentially allow reading or modifying database records, representing a confidentiality and integrity risk.
Affected Systems
The vulnerability impacts Revive Adserver 6.0.6 and all earlier releases of the Revive:Adserver product line.
Risk and Exploitability
The CVSS score of 6.1 indicates medium severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, implying a lower likelihood of widespread exploitation. The likely attack vector is an HTTP request to zone-include.php, where an attacker can modify the clientid query string to perform the injection.
OpenCVE Enrichment