A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.
Metrics
Affected Vendors & Products
References
| Link | Providers |
|---|---|
| https://hackerone.com/reports/3650504 |
|
History
Wed, 24 Jun 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Missing Access Control Enables Cross‑Manager Zone Linking in Revive Adserver |
Wed, 24 Jun 2026 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Missing Access Control Enables Cross‑Manager Zone Linking in Revive Adserver |
Wed, 24 Jun 2026 05:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Missing Access Control Allowing Low-Privilege Banner/Zone Linking in Revive Adserver |
Wed, 24 Jun 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Missing Access Control Allowing Low-Privilege Banner/Zone Linking in Revive Adserver |
Tue, 23 Jun 2026 23:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Missing Access Control Allows Low‑Privileged User to Link Zones to Banners/Campaigns of Other Managers |
Tue, 23 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Revive
Revive adserver |
|
| Vendors & Products |
Revive
Revive adserver |
Tue, 23 Jun 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Missing Access Control Allows Low‑Privileged User to Link Zones to Banners/Campaigns of Other Managers |
Tue, 23 Jun 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 23 Jun 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account. | |
| Weaknesses | CWE-284 | |
| References |
| |
| Metrics |
cvssV3_0
|
Status: PUBLISHED
Assigner: hackerone
Published: 2026-06-23T16:14:38.094Z
Updated: 2026-06-23T17:41:50.468Z
Reserved: 2026-03-31T15:00:06.522Z
Link: CVE-2026-34912
Updated: 2026-06-23T17:41:47.603Z
No data.
No data.