An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions. The status field has been removed from the hidden form fields in the banner edit screen.
Metrics
Affected Vendors & Products
References
| Link | Providers |
|---|---|
| https://hackerone.com/reports/3678828 |
|
History
Wed, 24 Jun 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Advertiser-Level Access Control Bypass in Revive Adserver Banner Editing |
Wed, 24 Jun 2026 08:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Advertiser-Level Access Control Bypass in Revive Adserver Banner Editing |
Wed, 24 Jun 2026 05:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Access Control Bypass in Revive Adserver Banner Status Update |
Wed, 24 Jun 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Access Control Bypass in Revive Adserver Banner Status Update |
Tue, 23 Jun 2026 23:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Banner Status Bypass in Revive Adserver |
Tue, 23 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Revive
Revive adserver |
|
| Vendors & Products |
Revive
Revive adserver |
Tue, 23 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Banner Status Bypass in Revive Adserver |
Tue, 23 Jun 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 23 Jun 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions. The status field has been removed from the hidden form fields in the banner edit screen. | |
| Weaknesses | CWE-284 | |
| References |
| |
| Metrics |
cvssV3_0
|
Status: PUBLISHED
Assigner: hackerone
Published: 2026-06-23T16:14:38.138Z
Updated: 2026-06-23T17:30:59.414Z
Reserved: 2026-05-08T15:00:02.447Z
Link: CVE-2026-44958
Updated: 2026-06-23T17:27:32.906Z
No data.
No data.