typo3/cms is susceptible to cross-site scripting (XSS). The attack is possible because of lack of sanitization of HTML placeholder attributes, allowing a valid backend user account to inject malicious scripts via the attributes and get executed when a user visits the page.