Description
Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding.
Published: 2026-06-03
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dovestones Softwares ADPhonebook contains a stored cross‑site scripting flaw that permits authenticated administrators to save configuration data through the /Admin/Save API without adequate input validation or output encoding, enabling malicious JavaScript to be persisted and later rendered in an administrator’s browser. The vulnerability is a classic example of a CWE‑79 type injection.

Affected Systems

All Dovestones Softwares ADPhonebook installations prior to version 4.0.1.1 are affected; no other vendors or products were identified.

Risk and Exploitability

Exploitation demands that an attacker first obtain administrative authentication to access the /Admin/Save endpoint. Once authenticated, the flaw can be exercised casually due to the lack of additional protection. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, while the CVSS score of 4.8 reflects moderate severity. Because the vulnerability is not listed in the CISA KEV catalog, no publicly reported exploits are currently known. The potential impact, inferred from the presence of stored XSS in a privileged context, could allow an attacker to run arbitrary code, steal session credentials, or modify the admin interface.

Generated by OpenCVE AI on June 8, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ADPhonebook to version 4.0.1.1 or later
  • If an upgrade is not immediately possible, enforce a Content Security Policy that prohibits inline script execution and restricts script sources to trusted origins
  • Restrict the /Admin/Save endpoint to a minimal set of trusted administrators and monitor for anomalous activity

Generated by OpenCVE AI on June 8, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Authenticated Admin Stored XSS via /Admin/Save in ADPhonebook

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Authenticated Admin Stored XSS via /Admin/Save in ADPhonebook
Weaknesses CWE-79

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dovestones
Dovestones adphonebook
Vendors & Products Dovestones
Dovestones adphonebook

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding.
References

Subscriptions

Dovestones Adphonebook
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-08T16:43:28.010Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36460

cve-icon Vulnrichment

Updated: 2026-06-08T16:43:21.933Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T18:16:20.997

Modified: 2026-06-08T17:16:41.927

Link: CVE-2026-36460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T19:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')