TinyMCE media plugin includes a flash player that in pervious versions of eZ Publish (ezoe) where vulnerable to CSRF attacks.
As the media plugin (and hence the .swf file) is not used by eZ Online Editor, it is recommended to remove it.
Patch
In version 4.1 - 4.5 (OE 5.0 - 5.3) remove the following file:
extension/ezoe/design/standard/javascript/plugins/media/img/flv_player.swf
In version 4.6 (OE 5.4) remove the following file:
extension/ezoe/design/standard/javascript/plugins/media/moxieplayer.swf
Or grab updated binary file from TinyMCE's github repo.