.swf files in Media Manager are allowed.
Similar issue was in WordPress:
Proof of Concept:
If you have
upload permission upload xss.swf by evilcos.
Then you can use:
- 16-11-2014: Discovered
- 16-11-2014: Vendor notified
- 03-12-2014: Hotfix released, issue resolved