CVE-2016-9471

Description

Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.

Category

3.1
CVSS
Severity: Low
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.27%
Vendor Advisory revive-adserver.com
Affected: n/a Revive Adserver All versions before 3.2.5 and 4.0.0
Published at:
Updated at:

References

Link Tags
https://hackerone.com/reports/128181 permissions required
https://github.com/revive-adserver/revive-adserver/commit/05b1eceb third party advisory patch
https://www.revive-adserver.com/security/revive-sa-2016-002/ patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2016-9471?
CVE-2016-9471 has been scored as a low severity vulnerability.
How to fix CVE-2016-9471?
To fix CVE-2016-9471, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-9471 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2016-9471 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9471?
CVE-2016-9471 affects n/a Revive Adserver All versions before 3.2.5 and 4.0.0.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.