The Node reference and User reference sub-modules, which
are part of the Content Construction Kit (CCK) project, lets
administrators define node fields that are references to other
nodes or to users. When displaying a node edit form, the
titles of candidate referenced nodes or names of candidate
referenced users are not properly filtered, allowing malicious
users to inject arbitrary code on those pages. Such a cross
site scripting (XSS) attack may lead to a malicious user
gaining full administrative access.