Dovestones Software AD Phonebook Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Dovestones Software AD Phonebook versions prior to 4.0.1.1. The issue resides in the search parameter of the '/ADPhonebook?Department=HR' endpoint, where user-supplied input is echoed in the HTTP response without adequate validation or encoding. This flaw enables the execution of arbitrary JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to the theft of session cookies or authentication tokens, phishing attacks, user interface spoofing, unauthorized actions in the context of the victim's session, or redirection to malicious content.

Remediation

Users are advised to upgrade to Dovestones Software AD Phonebook version 4.0.1.1 or later, which addresses the vulnerability by implementing proper input validation and output encoding.