CVE 2010-2250
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
See the 
CVE page on Mitre.org
for more details.
