Ayman Hourieh

**Name of the Vulnerable Software and Affected Versions** Drupal versions 4.6 before 4.6.9 Drupal versions 4.7 before 4.7.3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `msg` parameter in the user.module. **Recommendations** For Drupal versions 4.6 before 4.6.9, update to version 4.6.9 or later. For Drupal versions 4.7 before 4.7.3, update to version 4.7.3 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 4.6.x through 4.6.6 Drupal version 4.7.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `count` and `from` variables in the files `database.mysql.inc`, `database.pgsql.inc`, and `database.mysqli.inc`. **Recommendations** For Drupal versions 4.6.x through 4.6.6, update to version 4.6.7 or later. For Drupal version 4.7.0, update to a version later than 4.7.0.