A reflected XSS vulnerability has been detected in Revive Adserver 5.0.3’s publicly accessible afr.php delivery script. As of v3.2.2, the session identifier is kept in a http-only cookie and cannot be retrieved. On older versions, however, it may be possible to steal the session identifier and gain access to the admin interface under certain circumstances. In a JavaScript context, the query string provided to the www/delivery/afr.php
script was printed back without sufficient escaping, allowing an attacker to execute arbitrary JS code on the victim’s browser.