Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding.
AnalysisAI
Stored Cross-Site Scripting in Dovestones Softwares ADPhonebook before v4.0.1.1 permits authenticated admin users to inject persistent JavaScript payloads via the /Admin/Save API endpoint. Because multiple configuration sections lack input validation and output encoding, injected scripts survive across sessions and execute in any victim's browser when the affected configuration pages are loaded, with CVSS scope change (S:C) confirming cross-user impact beyond the planting admin. No public exploitation identified at time of analysis; EPSS is 0.02% (5th percentile), though a publicly available proof-of-concept gist exists at the referenced GitHub URL.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize user-supplied data before rendering it as HTML or JavaScript in a browser context. In ADPhonebook, the /Admin/Save API endpoint accepts configuration payloads and persists them to storage without server-side input validation or context-aware output encoding. When those configuration values are later retrieved and rendered in the admin UI, the raw payload is executed by the browser as script. The CVSS vector S:C (Scope Changed) is technically significant: it confirms the injected payload can affect security principals other than the admin who stored it - meaning a single malicious configuration write can compromise multiple user sessions. CPE data returned as n/a by NVD, so exact platform and OS context are not confirmed; the product is a Windows-based Active Directory phonebook tool based on the vendor download page context.
RemediationAI
Upgrade ADPhonebook to v4.0.1.1 or later - this is the fix version indicated by the CVE description and the vendor download page at https://dovestones.com/download/. Note that the patched version is inferred from the vulnerability description and has not been independently confirmed via a dedicated vendor security advisory. If immediate upgrade is not feasible, restrict access to the ADPhonebook admin panel to a dedicated management VLAN or trusted IP ranges using firewall or reverse-proxy ACLs; this prevents unauthorized parties from reaching the /Admin/Save API entirely. Additionally, enforce the principle of least privilege by minimizing the number of accounts with admin access to the application, and review existing configuration sections for anomalous or unexpected script content as an indicator of prior exploitation. Monitor admin session activity for unusual configuration changes as a compensating detective control.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34140
GHSA-5c2q-xgpr-q68v