Impact
The vulnerability is a classic access control advertiser‑level privileges to change the status of a banner, turning it on or off, despite lacking the required permissions. The banner‑edit.php’s status based solely on edit permissions and ignores whether the status field is hidden in the form, making the status field insufficient for preventing unauthorized changes. The weakness lies in missing or improperly validated authorization checks, as identified by CWE‑284.
Affected Systems
Revive Adserver versions 6.0.6 and all earlier releases are affected. The issue is editing functionality exposed by the vendor’s web interface.
Risk and Exploitability
The CVSS assessment assigns a score of 5.4, indicating a moderate impact that could be leveraged by a legitimate advertiser to alter campaign delivery without proper approval. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalogue. Based on the description, the likely attack vector is remote over the web interface, requiring only authenticated use of the advertiser account and no exploitation of external services.
OpenCVE Enrichment