Skip to main content

Dovestones AD Self Update CVE-2026-31014

| EUVDEUVD-2026-24133 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-21 mitre GHSA-4mrw-82h5-p7hx
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
PoC Detected
Apr 23, 2026 - 16:21 vuln.today
Public exploit code
Analysis Generated
Apr 21, 2026 - 19:23 vuln.today
CVSS changed
Apr 21, 2026 - 19:22 NVD
6.3 (None) 6.3 (MEDIUM)
EUVD ID Assigned
Apr 21, 2026 - 15:00 euvd
EUVD-2026-24133
Analysis Generated
Apr 21, 2026 - 15:00 vuln.today
CVE Published
Apr 21, 2026 - 00:00 nvd
MEDIUM 6.3

DescriptionCVE.org

Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent.

AnalysisAI

Cross-site request forgery (CSRF) in Dovestones AD Self Update versions before 4.0.0.5 allows unauthenticated attackers to modify authenticated user account information by crafting malicious requests that exploit missing CSRF token validation. The vulnerability affects state-changing endpoints that accept both POST and GET requests without proper anti-CSRF protections, enabling account takeover when a victim visits a malicious page while logged in. Publicly available exploit code exists.

Technical ContextAI

The vulnerability stems from a lack of CSRF token validation (CWE-352) in the AD Self Update application's account modification endpoints. The affected endpoints process requests submitted via application/x-www-form-urlencoded content type and fail to implement synchronizer token patterns or same-site cookie attributes. Critically, POST-based state-changing requests can be converted to GET requests and still execute successfully, significantly reducing the attack complexity since GET requests can be embedded directly in HTML img tags, JavaScript fetch calls, or form submissions without user interaction beyond simply visiting a page. This design flaw allows attackers to weaponize the existing session authentication that an user maintains with the AD Self Update application.

RemediationAI

Upgrade Dovestones AD Self Update to version 4.0.0.5 or later. This is the confirmed fix version. If immediate upgrade is not feasible, implement compensating controls by restricting access to the AD Self Update application to internal networks only via firewall rules, thereby eliminating the network attack vector (AV:N becomes AV:L in practical terms). Additionally, enforce strict Content Security Policy (CSP) headers on any pages that integrate with or link to the AD Self Update application, particularly disabling frame embedding and restricting form submission targets-this reduces attack surface for reflected CSRF attacks. Session timeout hardening (reducing idle timeout to 15-30 minutes) will limit the window of exploitation, though this trades availability for security. Monitor and log all state-changing requests to account modification endpoints and alert on suspicious patterns (e.g., multiple modifications from different source IPs within a single session). Verify with your Dovestones support contact that version 4.0.0.5 includes CSRF token implementation and test thoroughly before deployment.

Share

CVE-2026-31014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy