CVE-2026-36460: ADPhonebook XSS Vulnerability in Admin Configuration API
Dovestones Software's ADPhonebook application before version 4.0.1.1 contains a Cross-Site Scripting (XSS) vulnerability in its administrative configuration API. An authenticated administrator can inject malicious JavaScript code into various system configuration sections, which is then stored and executed in the browsers of other users who access those settings. This requires both admin privileges and user interaction (a victim must view the affected configuration), limiting but not eliminating the risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the /Admin/Save API endpoint of ADPhonebook. The application fails to validate and encode user-supplied input before storing it in configuration sections accessible through the administrative interface. An authenticated admin user with privileged access can craft requests containing malicious JavaScript payloads that bypass input sanitization. When other users (typically other admins or support staff) access these configuration pages, the unencoded payload executes within their browser context, potentially under the same origin. This is a stored XSS vulnerability (CWE-79) rather than reflected, meaning the payload persists in the application's data store.
Business impact
A compromised or malicious administrator account could inject scripts that steal session tokens, modify administrative settings, exfiltrate configuration data, or perform unauthorized actions on behalf of other admin users. The impact is contained to authenticated users accessing the admin interface, but could lead to lateral privilege escalation, data theft, or unauthorized system reconfiguration. Organizations should assess whether their admin user base is trustworthy and whether admin consoles are adequately segregated from user-facing systems.
Affected systems
ADPhonebook versions prior to 4.0.1.1 are vulnerable. The vulnerability requires administrative credentials to exploit, so exposure is limited to organizations running affected versions where admin accounts may be compromised or insider threats exist.
Exploitability
Exploitability is medium. The attack requires an authenticated admin account and relies on user interaction—a second admin or authorized user must navigate to the affected configuration section for the payload to execute. This is not a network-based, unauthenticated, or fully automated attack. However, within a compromised admin environment or in scenarios where insider threats are a concern, the attack is straightforward to execute and difficult to detect at the application level.
Remediation
Upgrade ADPhonebook to version 4.0.1.1 or later. Verify the patch availability in the vendor's advisory before deploying. Additionally, apply defense-in-depth: implement robust input validation and output encoding across all user-supplied fields, enforce strong authentication and access controls for admin interfaces, monitor admin API activity for suspicious payloads, and restrict admin console access to trusted networks where possible.
Patch guidance
Deploy the official patch to ADPhonebook 4.0.1.1 or later. Before patching, test in a non-production environment to confirm compatibility with your deployment. After patching, verify that the /Admin/Save API now properly encodes configuration inputs. If running on-premises, ensure your deployment pipeline validates and stages updates appropriately. For cloud-hosted instances, check with Dovestones Software or your hosting provider on patch deployment timelines.
Detection guidance
Monitor HTTP POST requests to the /Admin/Save endpoint for payloads containing JavaScript keywords (e.g., 'script', 'onerror', 'onclick', angle brackets in unexpected locations). Log and alert on admin API calls that include HTML or script tags in parameter values. Inspect stored configuration data for encoded or obfuscated JavaScript. Use Web Application Firewall (WAF) rules to detect XSS patterns in admin endpoint requests. Implement browser-based XSS detection extensions for users accessing admin interfaces. Correlate admin API activity with subsequent JavaScript execution events in admin session logs.
Why prioritize this
While the CVSS score of 4.8 reflects the authentication and user interaction requirements that lower overall risk, organizations should not dismiss this vulnerability. Admin-level XSS is a direct path to privilege escalation and lateral movement within trusted administrative functions. If your admin team is distributed, remote, or uses shared accounts, the user interaction barrier is lower in practice. Prioritize this for patching if you have identified any compromise of admin credentials or if you operate in a high-insider-threat environment. Otherwise, schedule it as part of regular maintenance within 30–60 days.
Risk score, explained
The CVSS 3.1 score of 4.8 (MEDIUM) reflects: Network-based attack vector (AV:N) but requires high privileges (PR:H, admin only); low attack complexity (AC:L); requires user interaction (UI:R); scope change (S:C, affects other users); and limited impact—confidentiality and integrity are low (C:L, I:L) with no availability impact (A:N). The score appropriately captures the authentication barrier and user interaction requirement, but does not fully weight the severity of compromised admin functionality. Risk assessment should include your specific threat model and admin account security posture.
Frequently asked questions
Can an unauthenticated attacker exploit this?
No. The vulnerability requires an authenticated administrator account with access to the /Admin/Save API. Unauthenticated users cannot reach the vulnerable endpoint.
Will upgrading to 4.0.1.1 fully eliminate XSS risks in ADPhonebook?
This patch addresses the specific XSS vulnerability in the /Admin/Save endpoint. However, general input validation and output encoding practices should be applied consistently across the application. Verify against the vendor advisory that this patch includes comprehensive fixes, and consider a security assessment if you have other concerns.
What if we can't patch immediately—are there interim mitigations?
Restrict access to the admin console using IP whitelisting or VPN. Enforce multi-factor authentication for admin accounts. Monitor /Admin/Save requests for suspicious payloads. Disable the admin API if not in active use. These measures reduce risk but do not eliminate the vulnerability; patching remains necessary.
Is this vulnerability being actively exploited in the wild?
As of the data provided, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no known active exploitation has been documented. However, the absence of public exploitation does not guarantee the vulnerability is not being targeted; maintain vigilance and patch promptly.
This analysis is provided for informational purposes and reflects the vulnerability details and patch status as of the data source date. Readers should verify all patch version numbers and availability directly with Dovestones Software. CVSS scores are as published by the vendor; your organization's risk determination should account for your specific environment, threat model, and the sensitivity of administrative functions in your deployment. Always test patches in a non-production environment before production deployment. For the most current advisory and remediation details, consult the vendor's official security bulletin. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1