Sumit Datta

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x before 6.13 **Description** The issue allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature, because it does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format. **Recommendations** For versions 6.x before 6.13, update to version 6.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 5.x before 5.19 Drupal versions 6.x before 6.13 **Description** The issue arises from improper sanitization of failed login attempts for pages containing sortable tables. This can lead to the exposure of usernames and passwords through two main vectors: (1) the HTTP referer header of external web sites that are visited from those links, (2) when page caching is enabled, the Drupal page cache. **Recommendations** For Drupal versions 5.x before 5.19, update to version 5.19 or later to resolve the issue. For Drupal versions 6.x before 6.13, update to version 6.13 or later to resolve the issue.