TYPO3-CORE-SA-2012-003: Cross-Site Scripting Vulnerability in TYPO3 Core
July 04, 2012
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting.
Component Type: TYPO3 Core
Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch.
Bulletin history: July 4, 2012 - corrected Secunia Advisory ID
Vulnerable subcomponent: Flash File Uploader
Vulnerability Type: Cross-Site Scripting
Note: The vulnerability in the swfupload library is addressed by Secunia Advisory SA49651.
Solution: Update to the TYPO3 versions 4.5.17, 4.6.10 or 4.7.2 that fix the problem described!
Credits: Credits go to Nathan Partlan and Neal Poole who discovered the original movieName XSS vulnerability in the swfupload library.