CVE-2014-1607

Name of the Vulnerable Software and Affected Versions Drupal versions 7.14

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the year parameter to the "eventcalander/" endpoint. This issue has been disputed by the Drupal Security Team and may be site-specific.

Recommendations For version 7.14, as a temporary workaround, consider restricting access to the EventCalendar module until a patch is available. Avoid using the year parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.