CVE-2016-9125

critical

Description

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.

References

https://www.revive-adserver.com/security/revive-sa-2016-001/

https://hackerone.com/reports/93813

https://hackerone.com/reports/93809

https://github.com/revive-adserver/revive-adserver/commit/4910365631eabbb208961c36149f41cc8159fb39

Details

Source: Mitre, NVD

Published: 2017-03-28

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00691