Component Type: TYPO3 Core
Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch.
Bulletin history: July 4, 2012 - corrected Secunia Advisory ID
Vulnerable subcomponent: Flash File Uploader
Vulnerability Type: Cross-Site Scripting
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)
Note: The vulnerability in the swfupload library is addressed by Secunia Advisory SA49651.
Solution: Update to the TYPO3 versions 4.5.17, 4.6.10 or 4.7.2 that fix the problem described!
Credits: Credits go to Nathan Partlan and Neal Poole who discovered the original movieName XSS vulnerability in the swfupload library and Lukas Reschke who reported the problem to the TYPO3 Security Team.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.