Vulnerabilities > Revive Adserver > Medium

DATE CVE VULNERABILITY TITLE RISK
2015-10-14 CVE-2015-7371 Permissions, Privileges, and Access Controls vulnerability in Revive-Adserver Revive Adserver
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request.
network
low complexity
revive-adserver CWE-264
5.0
5.0
2015-10-14 CVE-2015-7370 Cross-site Scripting vulnerability in Revive-Adserver Revive Adserver
Multiple cross-site scripting (XSS) vulnerabilities in open-flash-chart.swf in Open Flash Chart 2, as used in the VideoAds plugin in Revive Adserver before 3.2.2 and CA Release Automation (formerly LISA Release Automation) 5.0.2 before 5.0.2-227, 5.5.1 before 5.5.1-1616, 5.5.2 before 5.5.2-434, and 6.1.0 before 6.1.0-1026, allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) data-file parameter. 		4.3
4.3
2015-10-14 CVE-2015-7366 Cross-Site Request Forgery (CSRF) vulnerability in Revive-Adserver Revive Adserver
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the authentication of users for requests that (1) perform certain plugin actions and possibly cause a denial of service (disabled core plugins) via unknown vectors or (2) change the contact name and language or possibly have unspecified other impact via a crafted POST request to an account-user-*.php script. 		6.8
6.8
2015-10-14 CVE-2015-7365 Cross-site Scripting vulnerability in Revive-Adserver Revive Adserver
Cross-site scripting (XSS) vulnerability in the plugin upgrade form in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of an uploaded file containing errors. 		4.3
4.3
2015-10-14 CVE-2015-7364 Cross-Site Request Forgery (CSRF) vulnerability in Revive-Adserver Revive Adserver
The HTML_Quickform library, as used in Revive Adserver before 3.2.2, allows remote attackers to bypass the CSRF protection mechanism via an empty token. 		6.8
6.8
2014-12-19 CVE-2014-9407 Cross-Site Request Forgery (CSRF) vulnerability in Revive-Adserver Revive Adserver
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) delete data via a request to agency-delete.php, (2) tracker-delete.php, or (3) userlog-delete.php in admin/ or (4) unlink accounts via a request to admin-user-unlink.php. 		6.8
6.8
2014-12-19 CVE-2014-8875 Denial of Service vulnerability in Revive Adserver 'XML/RPC.php' XML Entity Expansion
The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an XML Entity Expansion (XEE) attack.
network
low complexity
revive-adserver
5.0
5.0
2014-12-19 CVE-2014-8793 Cross-Site Scripting vulnerability in Revive-Adserver Revive Adserver
Cross-site scripting (XSS) vulnerability in lib/max/Admin/UI/Field/PublisherIdField.php in Revive Adserver before 3.0.6 allows remote attackers to inject arbitrary web script or HTML via the refresh_page parameter to www/admin/report-generate.php. 		4.3
4.3
2014-04-25 CVE-2013-5954 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11 and earlier allow remote attackers to hijack the authentication of administrators for requests that delete (1) users via admin/agency-user-unlink.php, (2) advertisers via admin/advertiser-delete.php, (3) banners via admin/banner-delete.php, (4) campaigns via admin/campaign-delete.php, (5) channels via admin/channel-delete.php, (6) affiliate websites via admin/affiliate-delete.php, or (7) zones via admin/zone-delete.php. 		6.8
6.8