Description
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
Remediation
References
Related Vulnerabilities
WordPress Plugin Bulk Page Creator Cross-Site Scripting (1.0.9)
WordPress Plugin IQ Testimonials Arbitrary File Upload (2.2.7)
WordPress Plugin WP Fastest Cache Cross-Site Request Forgery (0.9.0.2)
Liferay Portal Inefficient Regular Expression Complexity Vulnerability (CVE-2022-42124)
WordPress Plugin Easy Social Icons Cross-Site Scripting (3.1.2)