Description
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
Remediation
References
Related Vulnerabilities
TYPO3 Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-4321)
MySQL CVE-2016-3440 Vulnerability (CVE-2016-3440)
WordPress Plugin Launcher:Coming Soon & Maintenance Mode Cross-Site Scripting (1.0.10)
WordPress Plugin WooCommerce Cross-Site Scripting (3.4.5)
WordPress Plugin OneSignal-Web Push Notifications Cross-Site Scripting (1.17.7)