Skip to content
GitLab
Closed
Issue created by bmortier@bmortierMaintainer

XSS in management filters

I found a cross site scripting issue in FusionDirectory. You can easily reproduce the issue with the following procedures:

  1. Launch FusionDirectory 1.2.1

$ git clone https://github.com/hrektts/docker-fusiondirectory.git $ docker-compose up -d

  1. Open http://localhost:10080/fd/ with the Browser
  2. Enter fd-admin / fdadminpwd to sign in
  3. Go to "users" in the left menu
  4. Input "et7s7'onfocus='alert(1)'autofocus='laqnc" to a textfield in Filter on the right side

This issue might remain in the latest version. For fixing this issue, the user input must be escaped properly.

Regards, Takumi

Edited by bmortier