A reflected cross site scripting vulnerability was discovered
in Drupal's error handler. Drupal displays PHP errors in the
messages area, and a specially crafted URL can cause malicious
scripts to be injected into the message. The issue can be
mitigated by disabling on-screen error display at admin /
settings / error-reporting. This is the recommended setting
for production sites.
When using re-colorable themes, color inputs are not sanitized.
Malicious color values can be used to insert arbitrary CSS and
script code. Successful exploitation requires the "Administer
themes" permission.