The vulnerability stems from improper input sanitization in the Backend User Administration Module. While exact code details are unavailable, TYPO3's architecture suggests backend user management logic resides in UserAdministrationController and related utilities. The CVE description explicitly cites XSS via unspecified vectors, implying functions handling user input/output in this module lack proper encoding. The 'medium' confidence reflects inferred patterns (TYPO3 backend structure and CWE-79 context) rather than direct code analysis. Patch notes for 6.0.12/6.1.7 would likely modify these areas to add escaping.