CVE-2016-9129

MEDIUM

Revive Adserver <3.2.3 - Info Disclosure

Title source: llm

Description

Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery system. Such information cannot however be used directly to log in to the system, which requires a username.

References (3)

[Issue Tracking, Patch, Third Party Advisory] https://github.com/revive-adserver/revive-adserver/commit/38223a841190bebd7a137c7bed84fbbcb2b0c2a5

View Patch ZIP pw:eip

[Permissions Required] https://hackerone.com/reports/98612

[Patch, Vendor Advisory] https://www.revive-adserver.com/security/revive-sa-2016-001/

Scores

CVSS v3 5.3

EPSS 0.0022

EPSS Percentile 44.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200 CWE-203

Status published

Affected Products (2)

revive-adserver/revive_adserver < 3.2.2

n/a/Revive Adserver All versions before 3.2.3 < Revive Adserver All versions before 3.2.3

Timeline

Published Mar 28, 2017

Tracked Since Feb 18, 2026