CVE-2026-36460

Vulnerability

Dovestones Software AD Phonebook versions 4.0.0.11 and earlier are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability within the /Admin/Save API. Authenticated administrative users can inject malicious JavaScript payloads into various configuration sections, including Search Filter, Domain Mapping, Details Section, Column Data, AD Directory Query, and General Settings, without proper input validation or output encoding [1].

Exploitation

An attacker with administrative privileges must log into the AD Phonebook application. They can then navigate to the administrative configuration sections and inject JavaScript payloads into fields such as Search Filter or Domain Mapping via the /Admin/Save endpoint. These payloads are stored by the application and will execute when other users view or interact with the affected configuration data [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the application. This can lead to the theft of session cookies or authentication tokens, resulting in session hijacking, administrative account compromise, user impersonation, modification of application content, or the delivery of phishing content through trusted application pages [1].

Mitigation

Dovestones Software AD Phonebook version 4.0.1.1 addresses this vulnerability. Users should update to version 4.0.1.1 or later. No workarounds are disclosed in the available references [1].