resolved
Missing access control when linking banners or campaigns to zones
Bug reported by Ahmed Ghadban was disclosed at June 3, 2026, 1:35 pm | Improper Access Control - Generic
A missing access control check was identified when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API. This could have allowed a low-privileged user to link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.
resolved
Missing access control when linking trackers to campaigns
Bug reported by Ahmed Ghadban was disclosed at June 3, 2026, 1:35 pm | Improper Access Control - Generic
A missing access control check was reported when linking trackers to campaigns through the "campaign-trackers.php" script of Revive Adserver 6.0.6 and earlier. A low-privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.
resolved
Blind SQL injection via clientid parameter in zone‑include.php
Bug reported by Kaushalendra Dubey was disclosed at June 3, 2026, 1:34 pm | SQL Injection
resolved
Reflected XSS via clientid parameter in zone‑include.php
Bug reported by Kaushalendra Dubey was disclosed at June 3, 2026, 1:34 pm | Cross-site Scripting (XSS) - Reflected
resolved
PHP code injection via delivery limitation logical
Bug reported by 0x4C616E was disclosed at June 3, 2026, 1:33 pm | Code Injection
resolved
Stored XSS via Full Name field in userlog email entries
Bug reported by was disclosed at June 3, 2026, 1:33 pm | Cross-site Scripting (XSS) - Stored
resolved
Session ID reuse allowing XML‑RPC API authentication bypass
Bug reported by 0x4C616E was disclosed at June 3, 2026, 1:33 pm | Improper Authentication - Generic
resolved
Missing access control when modifying parent entities via XML‑RPC
Bug reported by was disclosed at June 3, 2026, 1:32 pm | Improper Access Control - Generic
resolved
Banner status override by advertiser‑level users
Bug reported by Vertical was disclosed at June 3, 2026, 1:32 pm | Improper Access Control - Generic
A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edit permissions.
resolved
PHP code injection via unexpected delivery limitation parameter
Bug reported by rajib mahmud was disclosed at June 3, 2026, 1:29 pm | Code Injection
A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the `compiledlimitations` field, which could then be executed during banner delivery.