The development team behind the Drupal module Context have released version 6.x-2.0-rc4, which fixes a cross-site scripting (XSS) vulnerability when displaying block descriptions. If a user with 'administer blocks' permission clicks on a crafted link, JavaScript contained in the link is executed with the privileges of the Drupal page. Attackers can exploit this to gain access to a system.
Just a few weeks ago, a 'simple' XSS vulnerability in a bug-tracking system allowed root access to Apache Software Foundation servers, so XSS vulnerabilities are certainly not to be treated lightly.

Update: According to Drupal security team member Heine Deelstra, there is no URL manipulation or JavaScript contained in the link itself involved in the exploitation of the vulnerability. The vulnerability occurs if a user with 'administrator blocks' permission has added JavaScript to a block description on the block administration page. The impact is low since not that many sites using context have role seperation between block admins and other admins. Only a small subsection of the sites using the context release candidate are affected.

The link for this article located at H Security is no longer available.