I'm making an executive decision to publicly disclose this known XSS vulnerability, before anyone else comments on that aspect of things.

Originally reported in September 2015 and again sometime in 2016 by CYBER WARR?OR BUG RES. - AaCcTt and Kenan Genç - ZerOne

The search-user parameter used on the /users route is vulnerable to XSS, confirmable via https://issues.joomla.org/users?search-user=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt(1)%3E.

This issue has ONLY been confirmed on the live hosting server. I cannot replicate this in my local environment nor on other hosting platforms I have deployed the tracker to specifically to validate this.

I can independently confirm that there is not a higher level vulnerability in the Joomla! Framework. https://issues.joomla.org/xte.php demonstrates this, the script that is executed can be found at https://gist.github.com/mbabker/423302220d26769a169bf56506e7ae5a.

I am making this issue public now because after a year looking at this on and off and having independent reports of the issue, I cannot confirm it in any environment except the live hosting platform and neither myself nor active JSST members have identified a code fix for this. I feel that the security risk of this issue at this time is not of such severity that it is a high risk to disclose unfixed.