It has been discovered that TYPO3 Core is vulnerable to
Cross-Site Scripting and Remote Code Execution.
TYPO3 bundles flash files for video and audio playback. Old
versions of FlowPlayer and flashmedia are susceptible to
Cross-Site Scripting. No authentication is required to exploit
this vulnerability.
The file upload component and the File Abstraction Layer are
failing to check for denied file extensions, which allows
authenticated editors (even with limited permissions) to
upload php files with arbitrary code, which can then be
executed in web server's context.