Component Type: TYPO3 Core
Affected Versions: TYPO3 4.x below 4.0.5, 4.1beta, 4.1RC1, TYPO3 Versions 3.x
Vulnerability Type: Email header injection
The internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for.
Update to TYPO3 version 4.0.5 or later.
Credits go to Olivier Dobberkau, Andreas Otto, and Thorsten Kahler, who discovered and supplied a patch for this issue.