drupal

• Author: vmiklos
• Vulnerable: 4.7.5-1
• Unaffected: 4.7.7-1terminus1

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via “some server variables,” including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.

• Bug Tracker URL: http://bugs.frugalware.org/task/2295

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4064