typo3/cms-core is vulnerable to Cross-Site Scripting (XSS). The vulnerability is due to improper user input encoding of notifications shown in modal windows within the TYPO3 backend, which allows an attacker with a valid backend user account to execute arbitrary JavaScript in a users browser.