CVE-2020-11065: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in TYPO3 CMS versions greater than or equal to 9.5.12 and less than 9.5.17, and greater than or equal to 10.2.0 and less than 10.4.2. The vulnerability was identified in the typolink functionality where link tags were not properly parsing properties assigned as HTML attributes (GitHub Advisory).

The vulnerability is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 score indicating moderate severity. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (GitHub Advisory).

The vulnerability allows attackers to potentially execute cross-site scripting attacks through improperly parsed HTML attributes in link tags, which could lead to unauthorized data access or manipulation of web content (GitHub Advisory).

The vulnerability has been fixed in TYPO3 versions 9.5.17 and 10.4.2. Users are advised to update to these patched versions to mitigate the security risk (GitHub Advisory).

The vulnerability was responsibly disclosed by Josef Glatz and fixed by TYPO3 security team member Oliver Hader (GitHub Advisory).