A user-supplied value is directly output during installation
allowing a malicious user to craft a URL and perform a cross-site
scripting attack. The exploit can only be conducted on sites not yet
installed.
The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal
site to send the user to an arbitrarily provided URL. No user
submitted data will be sent to that URL.
Locale module and dependent contributed modules do not sanitize the
display of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary
administrator input is allowed. This vulnerability is mitigated by the
fact that the attacker must have a role with the 'administer
languages' permission.
Under certain circumstances, a user with an open session that is
blocked can maintain his/her session on the Drupal site, despite being
blocked.