The addUser method in Revive Adserver’s XML‑RPC API contains a validation bypass that was introduced while fixing a prior vulnerability. Because input validation was missing, an attacker can craft a request that creates a username matching an existing account, effectively enabling account impersonation, or can inject malicious script that is stored and later executed as part of a web page, leading to a stored cross‑site scripting attack. The flaw allows an attacker to compromise authentication integrity and impersonate existing users by creating usernames that match them.

The issue affects Revive:Adserver products. No specific affected versions are listed in the reference data, so all versions of Revive Adserver that expose the XML‑RPC API without the applicable validation should be considered at risk.

The vulnerability is exploitable remotely via the publicly reachable XML‑RPC API, with no special privileges required beyond API access. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. In the absence of a CVSS score, the severity is inferred from the nature of the flaw: authentication bypass combined with stored XSS presents a high risk to confidentiality, integrity, and availability of user sessions and web content. The likely attack vector is network‑based API calls, and attackers would need to know how to construct an appropriate XML‑RPC payload to exercise the addUser endpoint.