The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks."

More... (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2772)