There have been 5 Drupal security announcements for September 2008 about 3rd party modules with Cross-Site-Scripting vulnerabilities in them. The Drupal core is not affected in any of these cases so updating the module would be adequate in all but one situation. See DRUPAL-SA-2008-048-b for more information.

• "Answers" module (all Drupal 5.x versions)
  DRUPAL-SA-2008-053
• "Link To Us" module (5.x prior to 5.x-1.1 and 6.x-dev)
  DRUPAL-SA-2008-052
• Mailsave module (5.x prior to 5.x-3.3 and 6.x prior to 6.x-1.3)
  DRUPAL-SA-2008-051
• Mailhandler module (5.x prior to 5.x-1.4 and 6.x prior to 6.x-1.4)
  DRUPAL-SA-2008-050
• CCK module (5.x prior to 5.x-1.9)
  DRUPAL-SA-2008-048-b
  NOTE 1: SA-2008-048 stated the vulnerable versions were prior to 5.x-1.8 this SA updates them to 5.x-1.9
  NOTE 2: If your theme uses field templates, you will need to manually change the function phptemplate_field or THEME_NAME_field in your theme's template.php: from: 'label' => t($field['widget']['label']), to: 'label' => check_plain(t($field['widget']['label']))
• PluginManager module (Drupal 6.x prior to 6.x-1.2)
  DRUPAL-SA-2008-054
• Stock module (Drupal 6.x prior to 6.x-1.0)
  DRUPAL-SA-2008-055
• Simplenews module (Drupal 5.x prior to 6.x-1.5, 6.x prior to 6.x-1.0-beta4)
  DRUPAL-SA-2008-056
• Ajax checklist module (Drupal 5.x prior to 5.x-1.1)
  DRUPAL-SA-2008-057