Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.
In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.
