The FusionDirectory security team investigates all reports of security vulnerabilities affecting FusionDirectory, and releases these documents as part of the ongoing effort to help you manage security risks and help keep your systems protected.

FSA numberCVE NUMBERVersionEXplanationISSUES
FSA-00121.0.20User can lock their own account
FSA-00111.0.18User with role “editownpwd” or “editowninfo” must not be able to lock other accounts
FSA-00101.0.18Incorrect data published to fdPrivateMail via the web service deletes the existing data.
FSA-00091.0.14Triggers can lead to the execution of arbitrary code in the shell
FSA-00081.0.13Fusiondirectory shows ldap password in clear text during connection error
FSA-00071.0.9.3Locked users can continue to log in with their ssh keys
FSA-0006CVE-2014-97601.0.8.2XSS injection possible in the login screen
FSA-00051.0.8.1We can connect with an expired account if we are able to modify the connection url
FSA-00041.0.8.1The password is not hidden when using the post modification trigger and it produces an error
FSA-00031.0.8The password change trigger continues to execute when there is an error if you are logged in as fd-admin
FSA-00021.0.8FusionDirectory should not execute code from the shell
FSA-00011.0.5The class that manages the lists does not exclude the html code inserted