Hi, There is a persistent XSS in Drupal versions 5.x, 6.x and 7.x ( I have not yet tested Drupal 8.x due to not being fully released ). The function which is vulnerable is the watchdog() function, where the $message parameter does not get sanitized and you can pass through arbitrary code to be executed on the clients browser. This can be exploited if a module/theme/hook call directly calls the watchdog function. You could pass in a simple: or whatever payload you wish. For example, you could hijack the admin's browser using something like BeEF framework or similar tools. A simple way to fix this bug would be to wrap the $message htmlentities(). Thanks. Richard Clifford.