XSS in management filters
I found a cross site scripting issue in FusionDirectory. You can easily reproduce the issue with the following procedures:
- Launch FusionDirectory 1.2.1
$ git clone https://github.com/hrektts/docker-fusiondirectory.git $ docker-compose up -d
- Open http://localhost:10080/fd/ with the Browser
- Enter fd-admin / fdadminpwd to sign in
- Go to "users" in the left menu
- Input "et7s7'onfocus='alert(1)'autofocus='laqnc" to a textfield in Filter on the right side
This issue might remain in the latest version. For fixing this issue, the user input must be escaped properly.
Regards, Takumi