CVE-2024-29881 TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

🗓️ 26 Mar 2024 13:31:15Reported by GitHub_MType

TinyMCE XSS vulnerability in SVG handlin

Reporter	Title	Published	Views	Family All 22
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses tinymce-5.10.9.tgz which is vulnerable to CVE-2024-29203, CVE-2024-29881, and CVE-2024-29203.	15 Jul 202407:26	–	ibm
IBM Security Bulletins	Security Bulletin: Maximo Asset Management - There is a vulnerability in tinymce-6.7.3.min.js used by IBM Maximo Asset Management application (CVE-2024-29881)	12 Jun 202415:54	–	ibm
CNNVD	Tiny Technologies TinyMCE 安全漏洞	26 Mar 202400:00	–	cnnvd
CVE	CVE-2024-29881	26 Mar 202413:31	–	cve
Debian CVE	CVE-2024-29881	26 Mar 202413:31	–	debiancve
EUVD	EUVD-2024-0820	3 Oct 202520:07	–	euvd
Github Security Blog	TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements	26 Mar 202421:23	–	github
Github Security Blog	Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881	24 Apr 202417:02	–	github
Atlassian	Upgrade tinyMCE to >= 7.0.0 to mitigate CVE-2024-29881/29203	8 Oct 202421:27	–	atlassian
NVD	CVE-2024-29881	26 Mar 202414:15	–	nvd

[
  {
    "vendor": "tinymce",
    "product": "tinymce",
    "versions": [
      {
        "version": "< 7.0.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
tiny	www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/
github	www.github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
tiny	www.tiny.cloud/docs/tinymce/7/7.0-release-notes/
github	www.github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78

26 Mar 2024 13:31Current

4.5Medium risk

Vulners AI Score4.5

CVSS 3.14.3

EPSS0.05137

CWE-79