Typo3 Security Report (TYPO3-CORE-SA-2012-003):
TYPO3 bundles and uses an external JavaScript and Flash Upload Library
called swfupload. TYPO3 can be configured to use this Flash uploader.
Input passed via the "movieName" parameter to swfupload.swf is not
properly sanitised before being used in a call to
"ExternalInterface.call()". This can be exploited to execute arbitrary
script code in a user's browser session in context of an affected site.
The existance of the swfupload library is sufficient to be vulnerable
to the reported problem.