Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent.
AnalysisAI
Cross-site request forgery (CSRF) in Dovestones AD Self Update versions before 4.0.0.5 allows unauthenticated attackers to modify authenticated user account information by crafting malicious requests that exploit missing CSRF token validation. The vulnerability affects state-changing endpoints that accept both POST and GET requests without proper anti-CSRF protections, enabling account takeover when a victim visits a malicious page while logged in. Publicly available exploit code exists.
Technical ContextAI
The vulnerability stems from a lack of CSRF token validation (CWE-352) in the AD Self Update application's account modification endpoints. The affected endpoints process requests submitted via application/x-www-form-urlencoded content type and fail to implement synchronizer token patterns or same-site cookie attributes. Critically, POST-based state-changing requests can be converted to GET requests and still execute successfully, significantly reducing the attack complexity since GET requests can be embedded directly in HTML img tags, JavaScript fetch calls, or form submissions without user interaction beyond simply visiting a page. This design flaw allows attackers to weaponize the existing session authentication that an user maintains with the AD Self Update application.
RemediationAI
Upgrade Dovestones AD Self Update to version 4.0.0.5 or later. This is the confirmed fix version. If immediate upgrade is not feasible, implement compensating controls by restricting access to the AD Self Update application to internal networks only via firewall rules, thereby eliminating the network attack vector (AV:N becomes AV:L in practical terms). Additionally, enforce strict Content Security Policy (CSP) headers on any pages that integrate with or link to the AD Self Update application, particularly disabling frame embedding and restricting form submission targets-this reduces attack surface for reflected CSRF attacks. Session timeout hardening (reducing idle timeout to 15-30 minutes) will limit the window of exploitation, though this trades availability for security. Monitor and log all state-changing requests to account modification endpoints and alert on suspicious patterns (e.g., multiple modifications from different source IPs within a single session). Verify with your Dovestones support contact that version 4.0.0.5 includes CSRF token implementation and test thoroughly before deployment.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24133
GHSA-4mrw-82h5-p7hx