Headline
GHSA-5359-pvf2-pw78: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.
Fix
TinyMCE 6.8.1 introduced a new convert_unsafe_embeds option to automatically convert object and embed elements respective of their type attribute. From TinyMCE 7.0.0 onwards, the convert_unsafe_embeds option is enabled by default.
Workarounds
If you are using TinyMCE 6.8.1 or higher, set convert_unsafe_embeds to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify any object or embed elements. This can be added using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs.
Acknowledgements
Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.
References
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-29881
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
Moderate severity GitHub Reviewed Published Mar 26, 2024 in tinymce/tinymce • Updated Mar 26, 2024
Package
nuget TinyMCE (NuGet)
Affected versions
< 7.0.0
Description
Published to the GitHub Advisory Database
Mar 26, 2024
Last updated
Mar 26, 2024