Fabien Gutknecht

**Name of the Vulnerable Software and Affected Versions** Drupal Orejime versions 0.0.0 through 2.0.15 **Description** Improper neutralization of input during web page generation allows Cross-Site Scripting (XSS). The `IframeConsent` element writes HTML attributes without escaping their values. An attacker with a role that permits creating or modifying content in a field using a text format that enables `iframe-consent` HTML tags with alt attributes (specifically the *Enable JS Iframe consent* option) can insert arbitrary JavaScript by writing an `<iframe-consent>` tag. **Recommendations** Update to version 2.0.16. Restrict the use of text formats that allow `iframe-consent` HTML tags to authorized users only.

**Name of the Vulnerable Software and Affected Versions** Drupal versions prior to 1.7.0 **Description** An incorrect authorization issue exists in Drupal’s Unpublished Node Permissions, allowing forceful browsing. The problem relates to inconsistent access control for unpublished translated nodes. The module, designed to manage permissions for unpublished nodes per content type, does not consistently enforce these controls. **Recommendations** Update to version 1.7.0 or later.