(http://drupal.org/node/999380 for reference)
The way that I read the description of this update, it only applies to user-generated content - allowing a malicious, logged-in user to post a URL that, if followed by an admin user (though it's not clear what permission exactly defines "admin" in this case), would provide the malicious user with super-user access.
My assumption is that this vulnerability isn't really applicable on a single-user Drupal site, i.e., a site that doesn't give out user accounts to potentially malicious users. Is that correct? Or could this cross-site scripting attack originate from a link in an email sent from a contact form? Or from another website?
Finally, the description of the vulnerability states that it's only applicable to certain configuration combinations. Anyone got any beta on that?
Thanks in advance,