It has been discovered that TYPO3 Flow is susceptible to Cross-Site Scripting.
1.1.0, 2.0.0 and current development branch.
December 10, 2013
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C
The errorAction method in the ActionController base class of Flow returns error messages without properly encoding them. Because these error messages can contain user input, this could lead to a Cross-Site Scripting vulnerability in Flow driven applications.
If you have customized the error action in your Flow application, we advice you to check that the error messages returned in these actions only contain static strings and are not derived from any kind of user input. If you are not sure whether your code is fine in that regard, feel free to ask on a public mailing list or the forum.
Update to Flow Versions 1.1.1 or 2.0.1 which fix the problem described!
The same problem applies to the Extbase Framework in TYPO3. Read the according advisory TYPO3-CORE-SA-2013-004
for more information.
Please subscribe to the typo3-announce