A bug in input validation and lack of output validation
allows HTML and script insertion on several pages.
Drupal's XML parser passes unescaped data to watchdog
under certain circumstances. A malicious user may execute
an XSS attack via a specially crafted RSS feed. This
vulnerability exists on systems that do not use PHP's
mb_string extension (to check if mb_string is being used,
navigate to admin/settings and look under "String
handling"). Disabling the aggregator module provides an
immediate workaround.
The aggregator module, profile module, and forum module do
not properly escape output of certain fields.
Note: XSS attacks may lead to administrator access if
certain conditions are met.