CVE-2025-48986
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-25
Assigner: HackerOne
Description
Description
Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| revive-adserver | revive_adserver | to 5.5.2 (inc) |
| revive-adserver | revive_adserver | From 6.0.0 (inc) to 6.0.1 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authorization bypass in Revive Adserver versions 5.5.2, 6.0.1, and earlier. It allows a logged-in attacker to change other users' email addresses and potentially take over their accounts by exploiting the forgot password functionality.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can take over other users' accounts by changing their email addresses, leading to unauthorized access, data compromise, and potential control over affected accounts.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70