The vulnerability occurs in the stats-video.php script of Revive:Adserver. The URL building process fails to encode the output of a Smarty helper, permitting attacker‑controlled data to be embedded directly into the generated page. Because the reflected data is not escaped, a malicious actor can inject arbitrary HTML and JavaScript, which will execute in the context of any user who visits the crafted URL. This flaw represents a reflected cross‑site scripting (XSS) weakness, classified as CWE‑79, that could lead to session hijacking, credential theft or defacement of the site for users who load the vulnerable page.

All installations of Revive:Adserver that have the stats-video.php script exposed to user input are potentially affected. The vendor information provided lists Revive:Adserver as the product, but specific version numbers or patch levels are not supplied, meaning every current release may contain the flaw until an official fix is released. The script is reachable via user‑controllable URL parameters, and the vulnerability affects the output of the Smarty url helper.

With a CVSS base score of 4.7 the vulnerability is considered medium severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a URL that delivers malicious payloads to the stats‑video.php script; no authentication is required. Because the flaw is a reflected XSS, the impact is limited to users who click the link or visit the page, but the attacker may use the vulnerability to steal session cookies or plant phishing content. The exploitation is straightforward and does not require special conditions, making the vulnerability pose a moderate risk to exposed deployments.