Hi,

There is a persistent XSS in Drupal versions 5.x, 6.x and 7.x ( I have not
yet tested Drupal 8.x due to not being fully released ).

The function which is vulnerable is the watchdog() function, where the
$message parameter does not get sanitized and you can pass through
arbitrary code to be executed on the clients browser.

This can be exploited if a module/theme/hook call directly calls the
watchdog function. You could pass in a simple:
<script>alert(document.domain);</script> or whatever payload you wish.

For example, you could hijack the admin's browser using something like BeEF
framework or similar tools.

A simple way to fix this bug would be to wrap the $message htmlentities().

Thanks.

Richard Clifford.