Impact
Low‑privileged users can embed malicious JavaScript into their Full Name, which is stored in the details field of system‑ content through userlog-details.php, the unsanitized script executes in the administrator’s browser, allowing the attacker to run arbitrary code in the context of an administrator session. This stored cross‑site scripting CWE‑79 and can lead to compromise of the administrator’s privileges and subsequent system‑wide impact if exploited. The affected component is the area that renders userlog details without proper output escaping.
Affected Systems
The vulnerability affects the Revive:Adserver product. No specific product versions are identified in the advisory, so any currently deployed instance impacted until the vendor implements the sanitization fix. Administrators should verify the presence of the patch in their installed vendor for an update.
Risk and Exploitability
No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread exploitation has been publicly documented. However, the flaw carries a high potential impact: once a low‑privileged user injects a script into their Full Name, any administrator who opens the corresponding email log will trigger that script, giving the attacker the ability to execute code with administrator privileges. The lack of an available CVSS score does not diminish the severity implied by the description; the risk remains significant until the proper escaping is deployed.
OpenCVE Enrichment