CVE-2007-4363

Name of the Vulnerable Software and Affected Versions Drupal Content Construction Kit (CCK) versions prior to 4.7.x-1.6 Drupal Content Construction Kit (CCK) versions prior to 5.x-1.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via nodereference fields. This can occur when using the plain formatter or the autocomplete text field widget without Views.module.

Recommendations For versions prior to 4.7.x-1.6, update to version 4.7.x-1.6 or later. For versions prior to 5.x-1.6, update to version 5.x-1.6 or later. As a temporary workaround, consider disabling the use of nodereference fields with the plain formatter or the autocomplete text field widget until a patch is available.