The vulnerability resides in TYPO3's HTML Sanitizer component. When the configuration option ALLOW_INSECURE_RAW_TEXT is activated, the sanitizer does not recognize whitespace‑variant closing tags such as </style >. Browsers, however, treat these tags as legitimate terminators and allow the following content to bypass the sanitization step. This flaw permits an attacker to inject malicious payloads into user‑generated content, which are then rendered by the browser as executable scripts, compromising confidentiality, integrity, or demonstrating forging of user input. The weakness is a classic cross‑site scripting flaw catalogued as CWE‑79 and a design flaw where insecure settings are tolerated, CWE‑436.

This issue affects installations of the TYPO3 HTML Sanitizer component prior to version 2.3.2. Systems that rely on this package without updating or without disabling the ALLOW_INSECURE_RAW_TEXT option are vulnerable. The vulnerability is present in all releases of the component before the 2.3.2 security release, regardless of the TYPO3 core version that hosts it.

The CVSS score of 2.1 classifies the risk as low severity, and the EPSS score is not currently available. The flaw is not listed in the CISA KEV catalog, indicating no known exposure at a large scale. From the description, the likely attack vector involves an attacker inserting specially crafted content that contains whitespace‑variant closing tags into input fields or content streams that are processed by the sanitizer. Because the vulnerability is contingent on the insecure configuration setting, it is most often exploitable in environments where configuration oversight has occurred or legacy code has hard‑coded the option.