Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.
drupal.org/node/449078
secunia.com/advisories/34948
secunia.com/advisories/34950
secunia.com/advisories/34980
www.debian.org/security/2009/dsa-1792
www.osvdb.org/54152
www.vbdrupal.org/forum/showthread.php?p=9953#post9953
www.vupen.com/english/advisories/2009/1216
exchange.xforce.ibmcloud.com/vulnerabilities/50250
www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.html
www.redhat.com/archives/fedora-package-announce/2009-May/msg00133.html