Vulnerability identifier: #VU39351

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-9471

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Revive Adserver
Web applications / Other software

Vendor: OpenX Source

Description

The vulnerability allows a remote privileged user to read and manipulate data.

Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver. <a href="http://cwe.mitre.org/data/definitions/75.html">CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)</a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

Revive Adserver: 4.0.0

---

External links
http://github.com/revive-adserver/revive-adserver/commit/05b1eceb
http://hackerone.com/reports/128181
http://www.revive-adserver.com/security/revive-sa-2016-002/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.