Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages. The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages. http://drupal.org/node/227608
CVE name requested for this.
SA-2008-018 addressed in rawhide by 6.1, not present in 5.x branch for F-7 and F-8.
Jon: Thanks!
CVE-2008-1131: Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms.
CVE-2008-1133: The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.