Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account.
Advisories for Composer/Amazing/Media2click package
2021