Multiple cross-site scripting (XSS) vulnerabilities in the Rotor Banner module 5.x before 5.x-1.8 and 6.x before 6.x-2.5 for Drupal allow remote authenticated users, with βcreate rotor itemβ or βedit any rotor itemβ privileges, to inject arbitrary web script or HTML via the (1) srs, (2) title, or (3) alt image attribute.