cpe:/a:drupal:drupal:4.7.5 cpe:/a:drupal:drupal:5.0 cpe:/a:vbdrupal:vbdrupal CVE-2007-0626 2007-01-31T13:28:00.000-05:00 2017-07-28T21:30:18.297-04:00 7.6 NETWORK HIGH NONE COMPLETE COMPLETE COMPLETE http://nvd.nist.gov 2007-01-31T18:22:00.000-05:00 ALLOWS_ADMIN_ACCESS BUGTRAQ 20070129 [DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary code execution issue BID 22306 SECUNIA 23960 SECUNIA 23990 OSVDB 32136 VUPEN ADV-2007-0406 VUPEN ADV-2007-0415 XF drupal-commentformaddpreview-code-execution(31940) CONFIRM http://drupal.org/node/113935 CONFIRM http://www.vbdrupal.org/forum/showthread.php?t=786 The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."