On a server configured for IP-based virtual hosts, Drupal may be
caused to include and execute specifically named files outside
of its root directory. This bug affects both Drupal 5 and
Drupal 6.
The title of book pages is not always properly escaped, enabling
users with the "create book content" permission or the
permission to edit any node in the book hierarchy to insert
arbitrary HTML and script code into pages. Such a Cross site
scripting attack may lead to the attacker gaining administrator
access. This bug affects Drupal 6.