Additional TCA Allows Cross-Site Scripting (XSS)

Vulnerability

Description

CVE-2025-30083 is a cross-site scripting (XSS) vulnerability in the TYPO3 extension "Additional TCA" (additional_tca). The root cause is that the extension fails to properly encode user input when generating output in the HTML context within the TYPO3 backend user interface [2]. This improper encoding allows an attacker to inject arbitrary HTML or JavaScript code.

Exploitation

Prerequisites

Exploitation requires that the attacker is a logged-in backend user of the TYPO3 site. An attacker with such access can create output containing malicious content by exploiting the unsanitized user input through the backend interface [1][2]. The attack vector is network-based, requires low privileges, and depends on user interaction (the victim must view the affected page).

Impact

A successful exploit could lead to the execution of malicious script in the context of the backend interface of other users. The CVSS v3.1 scoring (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L) indicates potential low impacts on confidentiality, integrity, and availability, as the attacker is limited by the backend user's permissions [2]. However, XSS in the backend can be leveraged for session hijacking, credential theft, or further administrative actions.

Mitigation

Updates have been released: version 1.15.17 (for the 1.15.x branch) and version 1.16.9 (for the 1.16.x branch) [1]. The TYPO3 Security Team also recommends enabling Content Security Policy (CSP) for the backend interface as an additional hardening measure [2].