CVE-2025-27208

MEDIUM

Revive Adserver 5.5.2 - Reflected Cross-Site Scripting via Admin Search Compact Parameter

Title source: llm
STIX 2.1

Description

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user with access to the user interface of a Revive Adserver instance into clicking on a specifically crafted URL and execute injected JavaScript code in the context of the victim's browser. The session cookie cannot be accessed, but a number of other operations could be performed. The vulnerability is present in the admin-search.php file and can be exploited via the compact parameter.

References (2)

Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/3091390
Mailing List, Patch, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Oct/20

Scores

CVSS v3 6.1
EPSS 0.0137
EPSS Percentile 68.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
revive-adserver/revive_adserver 6.0.0 rc1
revive-adserver/revive_adserver < 6.0.0
Published Oct 31, 2025
Tracked Since Feb 18, 2026