Dovestones Software AD Self Update Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Dovestones Software AD Self Update versions prior to 4.0.0.5. The issue arises because the application processes state-changing requests without requiring a CSRF token or equivalent protection. The vulnerable endpoint accepts application/x-www-form-urlencoded requests, allowing an originally POST-based request to be converted into a GET request while still successfully updating user details. This vulnerability enables attackers to craft malicious requests that, when accessed by an authenticated user, can unauthorizedly modify user account information.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user account details, including contact information and profile attributes. Such modifications could disrupt account workflows, compromise the integrity of user data stored in directories, and create opportunities for social engineering by altering account information.

Remediation

Users are advised to upgrade to Dovestones Software AD Self Update version 4.0.0.5 or later. Additionally, implement CSRF tokens for all state-changing requests, enforce POST-only behavior for update actions, validate Origin and Referer headers where appropriate, use SameSite cookie protections, and require reauthentication for sensitive account changes.