It has been discovered that the extension "Drag Drop Mass Upload" (ameos_dragndropupload) is susceptible to Cross-Site Scripting, Cross-Site Request Forgery and Improper Access Control.

More... (http://www.typo3.org/news/article/improper-access-control-in-drag-drop-mass-upload-ameos-dragndropupload/)