Key Information Vulnerability ID: DRUPAL-SA-2007-001 Project: Drupal core Date: 2007-01-05 Security Risk Level: Low Exploitation Method: Remote Vulnerability Type: Cross-Site Scripting (XSS) Affected Versions Drupal 4.6.x versions (prior to Drupal 4.6.11) Drupal 4.7.x versions (prior to Drupal 4.7.5) Remediation Upgrade If running Drupal 4.6.x, upgrade to Drupal 4.6.11. - Download Link If running Drupal 4.7.x, upgrade to Drupal 4.7.5. - Download Link Patch For Drupal 4.6.10, apply the patch For Drupal 4.7.4, apply the patch Description A few parameters passed via URL were not properly sanitized before being displayed. If an attacker tricks an administrator into clicking a specially crafted link, they can inject and execute arbitrary HTML and script code. Under specific conditions, this could lead to gaining administrative privileges. Reporter Anonymous, reported via JPCERT. Contact Drupal’s security contact email is security@drupal.org, or via the contact form.