For more details see:
This ticket is linked to from changelog, can we make it public?
Also what is the exact scope of this vulnerability? Is flash bbcode available by default?
Yes, it is enabled by default; and yes, imo we should make it public.
Well it is activated by default, but permissions for "Limited Access" and "Standard Access" do not allow using it. So it's kind of only activated for Moderators and Administrators by default.
Made public. Why does this not have an assignee?
So then the vulnerability can only be exploited by moderators or admins in a default install, am I understanding it correctly?
Yes, I think so.
The BBCode tag was not executed for the given code. It posted as literal text.