Drupal Cross-Site Scripting, Code Injection and Information Disclosure Vulnerabilities

Drupal Cross-Site Scripting, Code Injection and Information Disclosure Vulnerabilities

Drupal is prone to a cross-site vulnerability, a code-injection vulnerability, and an information-disclosure weakness.

An attacker may leverage these issues to obtain potentially sensitive information, execute arbitrary code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. In certain situations, the attacker may be able to leverage these issues to run arbitrary PHP code on the affected site.

These issues affect the following:

Drupal 5.x (prior to 5.19)
Drupal 6.x (prior to 6.13)