(#Several vulnerabilities have been identified in Drupal third-party modules:#- CMS Updater: access bypass due to insufficient protection in the settings page. An remote attacker with "access administration pages" permission on the site could exploit it in order to change settings of the module##- CMS Updater: cross-site scripting due to insufficient sanitation of user provided text on the configuration page. A remote attacker can exploit it in order to execute arbitrary JavaScript or HTML##- amoCRM: cross-site scripting due to insufficient sanitation of logged data when malicious POST data is received. A remote attacker can exploit it in order to execute arbitrary JavaScript or HTML code. A module such as "Database logging" (dblog) must be enabled in order to display log messages in a HTML context##- Drupal 7 driver for SQL Server and SQL Azure: SQL injection due to improper escape of certain characters by the Drupal database API. A remote attacker can exploit it in order to to access restricted information by performing a specially-crafted search##- Scald: information disclosure due to the non-application of the restrictions on the fields attached to a given atom property in the "debug" context. Only sites that added fields to an atom type and then restricted access to those fields are vulnerable.)
