Description
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
Remediation
References
Related Vulnerabilities
Drupal CVE-2017-6930 Vulnerability (CVE-2017-6930)
WordPress Plugin Comment Rating 'path' Parameter Cross-Site Scripting (2.9.20)
WordPress Plugin s2Member Framework 's2_invoice' Parameter Remote Security Bypass (111105)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-2901)