VuFind version 1.0 suffers from a cross site scripting vulnerability.