Description
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
Remediation
References
Related Vulnerabilities
WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery SQL Injection (1.5.54)
WordPress Plugin Broken Link Manager Cross-Site Scripting (0.5.5)
Dotclear Other Vulnerability (CVE-2006-3938)
ownCloud Server-Side Request Forgery (SSRF) Vulnerability (CVE-2020-10252)
WordPress Plugin JobSearch WP Job Board Cross-Site Scripting (1.5.1)