Impact
Revive Adserver previously allowed low‑privileged session identifiers issued for the web admin console to be reused against the XML‑RPC API, which is normally restricted to administrators. This enabled attackers with a captured session token to gain unauthorized API access and exploit privileged operations, a classic CWE‑287 authentication bypass. The latest release records the session context (web or API) alongside other session data, preventing such cross‑context reuse.
Affected Systems
Revive Adserver is the affected product. No version data is provided, so the flaw may exist in multiple earlier releases that have not yet applied the context separation fix.
Risk and Exploitability
The CVSS score of 4.3 classifies the vulnerability as moderate, and EPSS data is not available with the vulnerability not listed in the CISA KEV catalog, indicating low or uncertain exploitation probability. Older releases that do not enforce session context separation remain vulnerable; an attacker would need to capture a non‑admin session ID and attempt reuse against the XML‑RPC endpoint. Newer releases mitigate the vector by enforcing context checks, thereby limiting exploitation to unpatched systems.
OpenCVE Enrichment