CVE-2006-5475

Multiple cross-site scripting XSS vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed...

Directory traversal

Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with modmime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory...

CVE-2006-2743

Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with modmime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory...