Name | CVE-2022-36180 |
Description | Fusiondirectory 1.3 is vulnerable to Cross Site Scripting (XSS) via /fusiondirectory/index.php?message=[injection], /fusiondirectory/index.php?message=invalidparameter&plug={Injection], /fusiondirectory/index.php?signout=1&message=[injection]&plug=106. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3487-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
fusiondirectory (PTS) | buster | 1.2.3-4+deb10u1 | vulnerable |
buster (security) | 1.2.3-4+deb10u2 | fixed | |
bullseye | 1.3-4 | vulnerable |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
fusiondirectory | source | buster | 1.2.3-4+deb10u2 | DLA-3487-1 | ||
fusiondirectory | source | (unstable) | (unfixed) |
[bullseye] - fusiondirectory <no-dsa> (Minor issue)
https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/
https://github.com/fusiondirectory/fusiondirectory/commit/fadebb79b932a0260bdb8723eb23694a3ae62366 (fusiondirectory-1.3.1)