CVE-2025-48986 | THREATINT

Description

Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality.

PUBLISHED Reserved 2025-05-29 | Published 2025-11-20 | Updated 2025-11-20 | Assigner hackerone

HIGH: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

5 (semver)

affected

5.5.3 (semver)

unaffected

6.0.2 (semver)

unaffected

6 (semver)

affected

References

hackerone.com/reports/3398283 exploit

hackerone.com/reports/3398283

cve.org (CVE-2025-48986)

nvd.nist.gov (CVE-2025-48986)

Download JSON