Executive Summary

This vulnerability is due to a missing access control check in the XML-RPC API of Revive Adserver version 6.0.6 and earlier. Specifically, when invoking various modify methods, the API allowed entities to be reassigned to different parent entities without proper validation. This could lead to inconsistent ownership relationships within the system.

The issue can only be exploited if combined with another vulnerability (CVE-2026-34917) or through third-party API extensions that expose API functionality to users with low privileges. The fix involved adding access control checks to validate access to parent entities when using the API's modify methods.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized reassignment of entities to different parent entities within Revive Adserver, potentially causing inconsistent ownership relationships.

Such unauthorized modifications could lead to integrity issues in the system's data and may allow low-privileged users to perform actions they should not be permitted to do, especially if combined with other vulnerabilities or insecure third-party extensions.

According to the CVSS score (4.3), the impact is limited to integrity with no direct impact on confidentiality or availability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, ensure that you upgrade Revive Adserver to a version later than 6.0.6 where access control checks have been added to the XML-RPC API modify methods.

Additionally, restrict access to the XML-RPC API to trusted and privileged users only, and avoid using third-party API extensions that expose API functionality to low-privileged users.

Useful 0 Not Useful 0