See SA-CONTRIB-2012-086 - Amadou - Cross Site Scripting.

An XSS vulnerability was identified in Amadou theme's themes_links() function in the template.php file, which was fixed in the theme_links() function in Drupal 6.3 as noted in (SA-2008-044 http://drupal.org/node/280571).

This release fixes that security issue and should be applied to all Drupal 6 websites running Amadou theme.

The current 6.x-1.x-dev release also contains this fix.

See SA-CONTRIB-2012-090 - File depot - Session Management Vulnerability.

This release addresses a SESSION control issue that caused IE browser users to switch users if they had multiple sessions open with different browsers on the same desktop.

This release contains an important security fix. Users of the module are strongly encouraged to update to this version as soon as possible.
If you are using an older version, incorrectly escaped error messages might lead to your site being vulnerable to an XSS attack. Note, however, that this can only occur if you somehow allow users to specify the used internal field identifiers (e.g., through Views exposed sorts or the old (deprecated) Search API Facets module).

This release contains only one change compared to the previous Beta 2 release: some error messages weren't properly escaped, which has now been fixed.

Since this might lead to an XSS vulnerability on your site (depending on the rest of your search setup), it is strongly recommended that you update to this new version.

This release contains only one change compared to the previous Beta 2 release: some error messages weren't properly escaped, which has now been fixed.

Since this might lead to an XSS vulnerability on your site (depending on the rest of your search setup), it is strongly recommended that you update to this new version.

See also SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)

This is a security release, containing an important security fix. Users of the project are strongly encouraged to update to this version as soon as possible.
If you are using an older version, incorrectly escaped error messages might lead to your site being vulnerable to an XSS attack. Note, however, that this can only happen if you have some advanced search mechanism, like a view with exposed sorts or use the old (deprecated) Facets module.

As announced in the RC1 release notes, this release also removes the old Facets module, in the future only the Facet API integration is supported.