TYPO3-CORE-SA-2012-003: Cross-Site Scripting Vulnerability in TYPO3 Core
July 04, 2012
It has been discovered that TYPO3 Core is vulnerable to Cross-Site Scripting.
Component Type: TYPO3 Core
Affected Versions: 4.5.0 up to 4.5.16, 4.6.0 up to 4.6.9, 4.7.0 up to 4.7.1 and development releases of the 6.0 branch.
Bulletin history: July 4, 2012 - corrected Secunia Advisory ID
Vulnerable subcomponent: Flash File Uploader
Vulnerability Type: Cross-Site Scripting
Note: The vulnerability in the swfupload library is addressed by Secunia Advisory SA49651.
Solution: Update to the TYPO3 versions 4.5.17, 4.6.10 or 4.7.2 that fix the problem described!
Credits: Credits go to Nathan Partlan and Neal Poole who discovered the original movieName XSS vulnerability in the swfupload library and Lukas Reschke who reported the problem to the TYPO3 Security Team.