CVE-2025-27208
MEDIUMRevive Adserver 5.5.2 - Reflected Cross-Site Scripting via Admin Search Compact Parameter
Title source: llmDescription
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim's browser. The session cookie cannot be accessed, but a number of other operations could be performed. The vulnerability is present in the admin-search.php file and can be exploited via the compact parameter.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/3091390
Mailing List, Patch, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/20
Scores
CVSS v3
6.1
EPSS
0.0137
EPSS Percentile
68.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
revive-adserver/revive_adserver
6.0.0 rc1
revive-adserver/revive_adserver
< 6.0.0
Published
Oct 31, 2025
Tracked Since
Feb 18, 2026