Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 1.6.2 and all versions below
Vulnerability Type: Arbitrary Code Execution, Cross Site Scripting
Solution: An updated version 1.6.3 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/wec_discussion/1.6.3/. Users of the extension are advised to update the extension as soon as possible.
General advice: Follow the recommendations that are given in the <media 800 - external-link-new-window>TYPO3 Security Cookbook</media>. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Credits: Credits go to Markus Angerer who discovered one of the issues. Furthermore the TYPO3 Security Team wishes to thank the extension author Dave Slayback for fixing the issues.