CVE-2006-0070

Name of the Vulnerable Software and Affected Versions: Drupal versions prior to 4.5.6 Drupal versions prior to 4.6.4 when "Filtered HTML" is not enabled

Description: The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name. This can be demonstrated using variations of the alert() function.

Recommendations: For versions prior to 4.5.6, enable "Filtered HTML" to mitigate the risk. For versions prior to 4.6.4, enable "Filtered HTML" to mitigate the risk. As a temporary workaround, consider restricting the use of IMG tags with encoded Javascript function names until a patch is available.