Thanks for the report. It is a known issue, since many years actually. The problem is that the oadest parameter is required for certain functionalities to work, and to this day no solution has been found that allows it while making it safer. I have spent myself numerous hours on it but I couldn't come up with anything good enough.
If you have a working solution, we'd be happy to review it and apply it.
Open Url Redirect Vulnerability On Revive Adserver
in For Developers
Posted
Why not use CSRF token?