CVEs-PoC/2016/CVE-2016-9124.md

### [CVE-2016-9124](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9124)
![](https://img.shields.io/static/v1?label=Product&message=Revive%20Adserver%20All%20versions%20before%203.2.3&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Revive%20Adserver%20All%20versions%20before%203.2.3%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Improper%20Restriction%20of%20Excessive%20Authentication%20Attempts%20(CWE-307)&color=brightgreen)

### Description

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.

### POC

#### Reference
- https://www.revive-adserver.com/security/revive-sa-2016-001/

#### Github
No PoCs found on GitHub currently.