Vulnerability Description
Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery system. Such information cannot however be used directly to log in to the system, which requires a username.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Revive-Adserver | Revive Adserver | <= 3.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/revive-adserver/revive-adserver/commit/38223a841190bebd7a137cIssue TrackingPatchThird Party Advisory
- https://hackerone.com/reports/98612Permissions Required
- https://www.revive-adserver.com/security/revive-sa-2016-001/PatchVendor Advisory
- https://github.com/revive-adserver/revive-adserver/commit/38223a841190bebd7a137cIssue TrackingPatchThird Party Advisory
- https://hackerone.com/reports/98612Permissions Required
- https://www.revive-adserver.com/security/revive-sa-2016-001/PatchVendor Advisory
FAQ
What is CVE-2016-9129?
CVE-2016-9129 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address was associated to one or more user accounts on a target Revi...
How severe is CVE-2016-9129?
CVE-2016-9129 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9129?
Check the references section above for vendor advisories and patch information. Affected products include: Revive-Adserver Revive Adserver.