Compliance Impact

CVE-2026-36460 allows authenticated administrators to inject malicious JavaScript payloads that can lead to session hijacking, theft of authentication tokens, administrative account compromise, user impersonation, content modification, or phishing attacks.

Such security issues can result in unauthorized access to sensitive data or systems, which may violate requirements of common standards and regulations like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, if exploited, this vulnerability could negatively impact compliance by exposing sensitive data or enabling unauthorized actions within the affected system.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36460 is a stored Cross-Site Scripting (XSS) vulnerability in Dovestones Software AD Phonebook versions prior to 4.0.1.1.

The vulnerability occurs because the /Admin/Save API allows an authenticated administrator to inject malicious JavaScript payloads into multiple configuration fields without proper input validation or output encoding.

These malicious scripts are stored and later executed when users view the affected configuration data.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to several serious impacts including session hijacking, theft of authentication tokens, administrative account compromise, user impersonation, content modification, and phishing attacks.

However, exploitation requires that the attacker has administrative privileges and that users interact with the affected content to trigger the malicious scripts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) via the /Admin/Save API where authenticated admin users can inject malicious JavaScript payloads into configuration fields.

To detect this vulnerability on your system, you should verify if your Dovestones Software AD Phonebook version is prior to 4.0.1.1 and check for suspicious JavaScript code stored in configuration sections accessible via the /Admin/Save endpoint.

Since exploitation requires authenticated admin access, detection commands or scripts should focus on inspecting stored configuration data for injected scripts.

• Use web application scanning tools or manual inspection to review the content of configuration fields for embedded <script> tags or suspicious JavaScript.
• If you have access to the backend or database, query configuration tables or files for suspicious payloads containing JavaScript code.
• Monitor HTTP requests to the /Admin/Save endpoint for unusual payloads or parameters containing script tags.

Specific commands depend on your environment, but examples include using curl or wget to fetch configuration pages and grep or similar tools to search for <script> tags.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade Dovestones Software AD Phonebook to version 4.0.1.1 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict administrative access to trusted users only, as exploitation requires authenticated admin privileges.

Additionally, review and sanitize any stored configuration data to remove potentially malicious JavaScript payloads.

Implement monitoring for suspicious activity on the /Admin/Save endpoint and consider applying web application firewall (WAF) rules to block script injection attempts.

Useful 0 Not Useful 0