CVE-2010-2250

Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt