QwikSec

Security Database

CVE

CWE

Training

CVE-2021-22873

Published: Jan 21, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.

Vendor	Product	Versions
n/a	https://github.com/revive-adserver/revive-adserver	affected `Fixed in 5.1.0`

Weaknesses (CWE)

References

https://hackerone.com/reports/1081406

x_refsource_MISC

https://www.revive-adserver.com/security/revive-sa-2021-001/

x_refsource_MISC

https://github.com/revive-adserver/revive-adserver/issues/1068

x_refsource_MISC

20210122 [REVIVE-SA-2021-001] Revive Adserver Vulnerabilities

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/161070/Revive-Adserver-5.0.5-Cross-Site-Scripting-Open-Redirect.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.