Description
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
Remediation
References
Related Vulnerabilities
WordPress Plugin Social Auto Poster-WordPress Scheduler & Marketing Security Bypass (5.3.14)
WordPress Plugin Theme Editor Arbitrary File Download (2.5)
WordPress Plugin WP Photo Album Plus Cross-Site Scripting (5.4.17)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0800)