CVE-2020-15514: 
PHP vulnerability analysis and mitigation

The jh_captcha extension (Google reCAPTCHA v2/v3) through versions 2.1.3 and 3.x through 3.0.2 for TYPO3 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in July 2020 and affects the extension's handling of user input in HTML context (TYPO3 Advisory).

The vulnerability stems from the extension's failure to properly encode user input for output in HTML context. The issue has a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires network access and low privileges to exploit (NVD).

The vulnerability could allow attackers to execute arbitrary web scripts in the context of the affected TYPO3 installation. However, the impact is limited as the vulnerability is only exploitable by backend users who have access to TypoScript settings of the extension (TYPO3 Advisory).

The vulnerability has been fixed in versions 2.1.4 and 3.0.3 of the extension. Users are advised to update to these patched versions as soon as possible. The updated versions are available through the TYPO3 extension manager, Packagist, and can be downloaded directly from the TYPO3 extension repository (TYPO3 Advisory).