Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix h1 report 173501
Persistent XSS --------------- The HackerOne user pavanw3b has reported that the Revive Adserver was vulnerable to a persistent XSS attack: an authenticated user could set their own email address to a specifically crafted string which was then displayed without proper escaping in the context of other users (e.g. the administrator user), giving them an opportunity to steal a session with elevated privileges. CWE-ID: CWE-79 CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 4.2 CVSSv3 Temporal Score: 3.7
- Loading branch information