Description
Dovestones Softwares ADPhonebook <4.0.1.1 has a reflected cross-site scripting (XSS) vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing execution of arbitrary JavaScript in the victim's browser.
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

The vulnerability allows an attacker to inject and execute arbitrary JavaScript inside a victim's browser by manipulating the Department query parameter on the /ADPhonebook?Department=HR endpoint. User‑supplied data is reflected in the HTTP response without any input validation or output encoding, giving the attacker full control over the page context. This can lead to session hijacking, cookie theft, defacement, or other client‑side attacks.

Affected Systems

The affected product is Dovestones Softwares’ ADPhonebook application, specifically any release prior to version 4.0.1.1. No other vendors are listed as affected.

Risk and Exploitability

The CVSS score of 6.1 classifies this as a moderate‑severity flaw, but reflected XSS is typically trivial to exploit via crafted URLs or emails and requires no authentication. Because the EPSS score is not available, the exploitation probability remains unknown, and the vulnerability is not listed in the CISA KEV catalog. Attackers can succeed by embedding malicious scripts in a link that the victim clicks, exploiting the lack of input sanitisation and resulting in arbitrary code execution in the victim’s browser context.

Generated by OpenCVE AI on April 22, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ADPhonebook to version 4.0.1.1 or newer, which removes the reflected XSS.
  • If an upgrade is not possible, validate and encode the search input on the server side to neutralise script tags.
  • Implement a robust Content Security Policy that blocks inline scripts and restricts allowed script sources.
  • Optionally restrict the /ADPhonebook?Department=HR endpoint to authenticated users only while a patch is awaiting.

Generated by OpenCVE AI on April 22, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dovestones
Dovestones adphonebook
Vendors & Products Dovestones
Dovestones adphonebook

Wed, 22 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in ADPhonebook Search Parameter

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in ADPhonebook Search Parameter
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Dovestones Softwares ADPhonebook <4.0.1.1 has a reflected cross-site scripting (XSS) vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing execution of arbitrary JavaScript in the victim's browser.
References

Subscriptions

Dovestones Adphonebook
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T18:19:12.306Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31013

cve-icon Vulnrichment

Updated: 2026-04-21T18:19:02.614Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:36.217

Modified: 2026-04-21T19:16:16.707

Link: CVE-2026-31013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:06Z

Weaknesses