The Contact module does not correctly handle certain user input
when displaying category information. Users privileged to create
contact categories can insert arbitrary HTML and script code into the
contact module administration page. Such a cross-site scripting attack
may lead to the malicious user gaining administrative access.
The Menu module does not correctly handle certain user input when
displaying the menu administration overview. Users privileged to
create new menus can insert arbitrary HTML and script code into the
menu module administration page. Such a cross-site scripting attack
may lead to the malicious user gaining administrative access.