CVE-2022-36180: 
Linux Debian vulnerability analysis and mitigation

Fusiondirectory version 1.3 was found to be vulnerable to Cross Site Scripting (XSS). The vulnerability, identified as CVE-2022-36180, was discovered in 2022 and affects the web-based LDAP administration program through multiple injection points in the application's index.php file (Yoroi Advisory, NVD).

The vulnerability exists due to improper sanitization of the 'message' and 'plug' parameters in the application. The affected endpoints include '/fusiondirectory/index.php?message=[injection]', '/fusiondirectory/index.php?message=invalidparameter&plug={Injection]', and '/fusiondirectory/index.php?signout=1&message=[injection]&plug=106'. The vulnerability received a CVSS v3.1 base score of 9.6 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows unauthenticated attackers to potentially execute malicious code in victims' browsers. The impact is heightened because the session cookie is not protected by the HttpOnly flag, allowing its content to be read by JavaScript and potentially stolen by attackers (Yoroi Advisory).

The vulnerability has been fixed in FusionDirectory version 1.3.1. Users are advised to upgrade to this version to mitigate the security risk. For Debian 10 (buster) users, the fix is available in version 1.2.3-4+deb10u2 (Debian Advisory).