Component Type: TYPO3 Core
Affected Version: TYPO3 version 4.2.2
Vulnerability Type: Cross Site Scripting
Vulnerability: Backend module "file" is susceptible to Cross-Site Scripting.
Severity: Low
Problem Description: Failing to filter user input, the module is susceptible to Cross-Site Scripting making it possible to execute arbitrary JavaScript.
Note: Exploiting this vulnerability will either require background knowledge of the the web folder structure of the TYPO3 hosting or a backend user account with access to the file module. This vulnerability can be exploited to execute arbitrary JavaScript by tricking a logged-in BE user into following a specially crafted link. TYPO3 versions below 4.2.2 are not vulnerable!
Solution: Update to TYPO3 version 4.2.3 that fixes the issue described.
Credits: Credits go to TYPO3 Security Team member Marcus Krause who reported the issue. The TYPO3 Security Team also wishes to thank Marcus Krause for fixing the issue in cooperation with the core team member Ingo Renner.