Description
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via "some server variables," including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.
Remediation
References
Related Vulnerabilities
WordPress Plugin AStickyPostOrderER Cross-Site Scripting (0.3.1)
Drupal Improper Input Validation Vulnerability (CVE-2012-5653)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-1835)
Magento Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2020-9664)