CVE-2025-48986

Published: Nov 20, 2025Modified: Nov 25, 2025

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: support@hackerone.com (Secondary)

Description

Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality.

Affected (2)

Products: Revive Adserver: Revive Adserver

Revive Adserver

1 product

Revive Adserver

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Revive Adserver Revive Adserver	Up to 5.5.2
Revive Adserver Revive Adserver	From 6.0.0 to 6.0.1

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://hackerone.com/reports/3398283

Source: support@hackerone.com

ExploitIssue TrackingThird Party Advisory

https://hackerone.com/reports/3398283

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.