FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo3 -- Cross-Site Scripting Vulnerability in TYPO3 Core

Affected packages
4.5 <= typo3 < 4.5.17
4.6 <= typo3 < 4.6.10
4.7 <= typo3 < 4.7.2


VuXML ID c28ee9cd-916e-4dcf-8ed3-e97e5846db6c
Discovery 2012-07-04
Entry 2012-07-06

Typo3 Security Report (TYPO3-CORE-SA-2012-003):

TYPO3 bundles and uses an external JavaScript and Flash Upload Library called swfupload. TYPO3 can be configured to use this Flash uploader. Input passed via the "movieName" parameter to swfupload.swf is not properly sanitised before being used in a call to "". This can be exploited to execute arbitrary script code in a user's browser session in context of an affected site. The existance of the swfupload library is sufficient to be vulnerable to the reported problem.