CVE-2019-25094: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was identified in innologi appointments Extension up to version 2.0.5 on TYPO3. The vulnerability affects the Appointment Handler component, where manipulation of the formfield argument can lead to XSS attacks. The issue was assigned the identifier CVE-2019-25094 and was publicly disclosed on January 4, 2023 (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It received a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows remote attackers to inject malicious scripts that can execute in users' browsers when viewing affected pages. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD).

The vulnerability has been fixed in version 2.0.6 of the innologi appointments Extension. Users are recommended to upgrade to this version. The fix is identified by the commit 986d3cb34e5e086c6f04e061f600ffc5837abe7f, which implements proper XSS prevention on various formfield values (GitHub Patch).