CVE-2025-48206: 
PHP vulnerability analysis and mitigation

The nsbackup extension through version 13.0.0 for TYPO3 contains a Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and disclosed on May 20, 2025, affecting the TYPO3 extension 'Backup Plus' (nsbackup). The vulnerability has been assigned CVE-2025-48206 and has received a CVSS v3.1 base score of 6.1 (MEDIUM) (TYPO3 Advisory, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). The issue stems from the extension's failure to properly encode user input for output in HTML context in the TYPO3 backend user interface. The vulnerability has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it is network accessible, requires low attack complexity, and needs user interaction (Wiz).

The vulnerability affects the confidentiality and integrity of the application with low severity, while having no impact on availability. The successful exploitation of this XSS vulnerability could allow attackers to execute malicious scripts in the context of the TYPO3 backend user interface (Wiz).

The vulnerability has been patched in version 13.0.1 of the ns_backup extension. Users are strongly advised to update to this version as soon as possible. The updated version can be obtained through the TYPO3 extension manager, packagist, or downloaded directly from the TYPO3 extension repository (TYPO3 Advisory).