typo3/cms is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to failing to properly encode user input in online media asset rendering for *.youtube
and *.vimeo
files, requiring a valid backend user account or write access on the server system to exploit.