GHSA-w9jx-4g6g-rp7x: TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-w9jx-4g6g-rp7x

TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

Moderate severity GitHub Reviewed Published Jun 19, 2024 in tinymce/tinymce • Updated Jun 19, 2024

Package

nuget TinyMCE (NuGet)

Affected versions

< 5.11.0

>= 6.0.0, < 6.8.4

>= 7.0.0, < 7.2.0

Patched versions

5.11.0

6.8.4

7.2.0

< 5.11.0

>= 6.0.0, < 6.8.4

>= 7.0.0, < 7.2.0

< 5.11.0

>= 6.0.0, < 6.8.4

>= 7.0.0, < 7.2.0

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.

Fix

To avoid this vulnerability:

• Upgrade to TinyMCE 7.2.0 or higher.
• Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
• Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.

References

• TinyMCE 6.8.4
• TinyMCE 7.2.0

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]
• Open an issue in the TinyMCE repo

References

• GHSA-w9jx-4g6g-rp7x

Published to the GitHub Advisory Database

Jun 19, 2024

Last updated

Jun 19, 2024