CVE-2016-9126

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-9126
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9126.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-9126
Published
2017-03-28T02:59:00.417Z
Modified
2026-04-10T03:54:05.865828Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames are not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account.

References

Affected packages

Git / github.com/revive-adserver/revive-adserver

Affected ranges

Type
GIT
Repo
https://github.com/revive-adserver/revive-adserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e1fc268218ef914dc3c37d98b9721759f051f74f
Fixed
8d8c6df309ff5fde9dd4770abcd4ec5d2449b3ec
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.2.2"
        }
    ]
}

Affected versions

v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.0-beta
v3.2.0
v3.2.0-beta
v3.2.1
v3.2.1-rc1
v3.2.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9126.json"