CVE-2025-30081: 
PHP vulnerability analysis and mitigation

CVE-2025-30081 is a Cross-Site Scripting (XSS) vulnerability discovered in the Clickstorm SEO extension. The vulnerability was discovered in March 2025 and affects multiple versions of the software including versions 6.0.0-6.6.0, 7.0.0-7.3.3, 8.0.0-8.2.1, and 9.0.0-9.1.0. The vulnerability exists in the TYPO3 backend user interface where user input is not properly encoded for HTML output (TYPO3 Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Moderate severity) with the following vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C. The vulnerability is classified as CWE-79 (Cross-site Scripting) and requires a logged-in backend user for exploitation. The issue stems from improper encoding of user input when outputting in HTML context in the TYPO3 backend user interface (GitHub Advisory).

The vulnerability allows authenticated backend users to execute arbitrary JavaScript code in the context of other users' browsers who access the affected pages. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious actions within the scope of the affected user's session (TYPO3 Advisory).

Fixed versions (6.7.0, 7.4.0, 8.3.0, and 9.2.0) have been released and are available through the TYPO3 extension manager and packagist. The TYPO3 Security Team recommends enabling the Content Security Policy (CSP) for the TYPO3 backend user interface in TYPO3 12.4 as an additional security measure. In TYPO3 13.4, this security feature is enabled by default (TYPO3 Advisory).