Highly critical flaw in TYPO3 allows attacker to compromise user’s system. Input data passed via „BLACK_PATH“ paramtere in typo3/sysext/workspaces/Classes/Controller/AbstractController.php are not properly sanitized before being used. It allows to upload arbitrary files from remote server.
The vulnerability was discovered in version 4.6.1. Other versions may be vulnerable also.
Users should upgrade to version 4.6.2.

Source: Secunia
19.12.2011