Drupal version 6.16 with Ctools version 6.x-1.3 suffers from php code execution and cross site request forgery vulnerabilities.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/89763/drupalchaos-execxsrf.txt
Source: https://packetstormsecurity.com/files/89763/Drupal-6.16-Ctools-6.x-1.3-PHP-Code-Execution-Cross-Site-Request-Forgery.html