CVE-2010-2123

Name of the Vulnerable Software and Affected Versions Drupal Storm module versions 5.x through 6.x-1.32

Description The issue allows remote authenticated users with certain module privileges to inject arbitrary web script or HTML. This can be achieved via various parameters in different actions to index.php, including fullname, address, city, provstate, phone, taxid, name, stepno, title, and unspecified parameters in stormproject actions.

Recommendations For Drupal Storm module versions 5.x through 6.x-1.32, update to version 6.x-1.33 or later to resolve the issue.