Description
Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent.
Published: 2026-04-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of user account data
Action: Apply Fix
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in Dovestones Softwares AD Self Update, versioned below 4.0.0.5. The endpoint processes state‑changing requests without requiring a CSRF token, allowing an attacker to send modifications to user account data without the user’s consent. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST‑based request can be converted to a GET request while still succeeding in updating user details. This creates a path for an attacker to craft a malicious request that will be executed automatically when an authenticated user visits a link or submits a form. The result is that user account information can be altered without authorization, compromising privacy and potentially degrading system integrity. If the system also permits further actions after the update, broader consequences are possible. The CVSS score of 6.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploitation to date. The likely attack vector is inferred to be a malicious link or form presented to an authenticated user, triggering the unauthorized request internally. The risk depends on how often users authenticate and the exposure of the affected endpoint.

Affected Systems

Dovestones Softwares AD Self Update (version < 4.0.0.5) is the only affected product.

Risk and Exploitability

The vulnerability is a CSRF flaw that permits state‑changing requests without a CSRF token or equivalent protection. Because the endpoint accepts application/x-www-form-urlencoded requests and allows an originally POST‑based request to be converted to GET while still succeeding, an attacker can craft a malicious request that an authenticated user will automatically trigger by visiting a link or submitting a form. This yields unauthorized updates to user account details. The CVSS score of 6.3 indicates moderate severity, and with the EPSS value not available, the exact exploitation likelihood remains uncertain, but the absence from the CISA KEV catalog suggests limited public exploitation as of now.

Generated by OpenCVE AI on April 22, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the newest version of Dovestones Softwares AD Self Update (4.0.0.5 or later) to eliminate the CSRF flaw.
  • If an immediate upgrade is not feasible, implement a CSRF token check or reject state‑changing requests that lack a valid token and enforce same‑origin policies to restrict the endpoint to trusted origins.
  • Audit and monitor account change logs for suspicious activity to detect and respond to potential exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dovestones
Dovestones ad Self Update
Vendors & Products Dovestones
Dovestones ad Self Update

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Enables Unauthorized User Account Modification

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent.
References

Subscriptions

Dovestones Ad Self Update
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T18:21:08.828Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31014

cve-icon Vulnrichment

Updated: 2026-04-21T18:21:00.520Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:36.337

Modified: 2026-04-21T19:16:16.853

Link: CVE-2026-31014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:05Z

Weaknesses