Low‑privileged users can embed malicious JavaScript into their Full Name field. The name is included in system‑generated emails and the resulting content is stored in table. When an administrator views the logged email content through userlog-details.php, the unsanitized JavaScript is executed in the admin’s browser, giving the attacker the ability to run arbitrary scripts in the context of the admin session. This requires only standard account privileges for the attacker and is a classic stored cross‑site scripting weakness (CWE‑79).

The vulnerability affects the Revive:Adserver product. No specific version information is provided, so all current builds are potentially impacted until the vendor releases a patch that sanitizes userlog details output.

The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, suggesting no known public exploitation at this time. However, the CVSS severity is not disclosed; the fact that malicious payloads are executed in an administrator’s privileged session indicates a high potential impact if an attacker can manipulate the Full Name field. The attack vector is inferred to be local or network based, depending on whether the attacker can create or modify a user profile. Once the vulnerable entry is present, any admin who opens the corresponding log will trigger the XSS. The absence of a known exploit does not mitigate be orchestrated internally or by a compromised low‑privileged account.