CVE-2026-31013
Reflected XSS in Dovestones ADPhonebook Search Parameter
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dovestones | ad_phonebook | to 4.0.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31013 is a reflected Cross-Site Scripting (XSS) vulnerability in Dovestones Software ADPhonebook versions prior to 4.0.1.1. It occurs in the search functionality via the "Department" parameter in requests to the /ADPhonebook?Department=HR endpoint.
User-supplied input is reflected in the HTTP response without proper input validation or output encoding, allowing an attacker to inject and execute arbitrary JavaScript code in the victim's browser.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser under the security context of the vulnerable application.
- Theft of session cookies or authentication tokens.
- Phishing attacks by spoofing the user interface.
- Unauthorized actions performed in the victimβs session context.
- Redirection to malicious content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /ADPhonebook?Department=HR endpoint for reflected cross-site scripting (XSS) issues. Specifically, you can send HTTP requests with crafted payloads in the Department parameter and observe if the input is reflected in the HTTP response without proper encoding.
A simple way to test this is by using curl or similar HTTP clients to send requests with JavaScript payloads and check the response for unencoded reflections.
- curl -i "http://target/ADPhonebook?Department=<script>alert('XSS')</script>"
- Observe the HTTP response for the presence of the <script>alert('XSS')</script> string without encoding.
If the script tag is reflected and executed in a browser, it confirms the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Dovestones Software ADPhonebook to version 4.0.1.1 or later, where the vulnerability has been fixed through proper input validation and output encoding.
Additional recommended defenses include:
- Implement context-aware output encoding to prevent script injection.
- Sanitize and validate all user inputs, especially the Department parameter.
- Deploy a Content Security Policy (CSP) to restrict the execution of unauthorized scripts.
- Set cookies with HttpOnly and Secure flags to protect session tokens.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The reflected cross-site scripting (XSS) vulnerability in Dovestones Software ADPhonebook allows execution of arbitrary JavaScript in a victim's browser, which can lead to theft of session cookies or authentication tokens, phishing attacks, and unauthorized actions within the victim's session.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to personal or sensitive data, potentially resulting in data breaches.
Failure to properly validate and encode user input, as seen in this vulnerability, can violate requirements for protecting personal data and ensuring system security under these regulations.
Mitigations such as upgrading to a fixed version, input validation, output encoding, Content Security Policy (CSP), and secure cookie settings help reduce the risk and support compliance efforts.