The staff search page does not sanitise the input of the ID field allowing an XSS attack to be executed.
Code:
Posted Mo BeigiPersianMG in XSS