CVE-2026-36460
Cross-Site Scripting in ADPhonebook Software
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dovestones_software | adphonebook | to 4.0.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36460 is a stored Cross-Site Scripting (XSS) vulnerability in Dovestones Software AD Phonebook versions prior to 4.0.1.1.
The vulnerability occurs because the /Admin/Save API allows an authenticated administrator to inject malicious JavaScript payloads into multiple configuration fields without proper input validation or output encoding.
These malicious scripts are stored and later executed when users view the affected configuration data.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to several serious impacts including session hijacking, theft of authentication tokens, administrative account compromise, user impersonation, content modification, and phishing attacks.
However, exploitation requires that the attacker has administrative privileges and that users interact with the affected content to trigger the malicious scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) via the /Admin/Save API where authenticated admin users can inject malicious JavaScript payloads into configuration fields.
To detect this vulnerability on your system, you should verify if your Dovestones Software AD Phonebook version is prior to 4.0.1.1 and check for suspicious JavaScript code stored in configuration sections accessible via the /Admin/Save endpoint.
Since exploitation requires authenticated admin access, detection commands or scripts should focus on inspecting stored configuration data for injected scripts.
- Use web application scanning tools or manual inspection to review the content of configuration fields for embedded <script> tags or suspicious JavaScript.
- If you have access to the backend or database, query configuration tables or files for suspicious payloads containing JavaScript code.
- Monitor HTTP requests to the /Admin/Save endpoint for unusual payloads or parameters containing script tags.
Specific commands depend on your environment, but examples include using curl or wget to fetch configuration pages and grep or similar tools to search for <script> tags.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Dovestones Software AD Phonebook to version 4.0.1.1 or later, where this vulnerability is fixed.
Until the upgrade can be applied, restrict administrative access to trusted users only, as exploitation requires authenticated admin privileges.
Additionally, review and sanitize any stored configuration data to remove potentially malicious JavaScript payloads.
Implement monitoring for suspicious activity on the /Admin/Save endpoint and consider applying web application firewall (WAF) rules to block script injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-36460 allows authenticated administrators to inject malicious JavaScript payloads that can lead to session hijacking, theft of authentication tokens, administrative account compromise, user impersonation, content modification, or phishing attacks.
Such security issues can result in unauthorized access to sensitive data or systems, which may violate requirements of common standards and regulations like GDPR and HIPAA that mandate protection of personal and health information.
Therefore, if exploited, this vulnerability could negatively impact compliance by exposing sensitive data or enabling unauthorized actions within the affected system.