Headline
GHSA-438c-3975-5x3f: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe
elements containing malicious code to execute when inserted into the editor. These iframe
elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
Fix
TinyMCE 6.8.1 introduced a new sandbox_iframes
boolean option which adds the sandbox=""
attribute to every iframe
element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe
elements. From TinyMCE 7.0.0 onwards the default value of this option is true
.
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions
option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox=""
attribute applied when the sandbox_iframes
option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe
elements from every domain, set this option to []
.
Workarounds
The HTTP Content-Security-Policy (CSP) frame-src
or object-src
can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.
References
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
Fix
TinyMCE 6.8.1 introduced a new sandbox_iframes boolean option which adds the sandbox="" attribute to every iframe element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe elements. From TinyMCE 7.0.0 onwards the default value of this option is true.
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox="" attribute applied when the sandbox_iframes option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe elements from every domain, set this option to [].
Workarounds
The HTTP Content-Security-Policy (CSP) frame-src or object-src can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.
References
- TinyMCE 6.8.1
- TinyMCE 7.0.0
References
- GHSA-438c-3975-5x3f
- https://nvd.nist.gov/vuln/detail/CVE-2024-29203
- tinymce/tinymce@bcdea2a
- https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
- https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true