Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2023-48219
HistoryNov 15, 2023 - 7:15 p.m.

CVE-2023-48219

2023-11-1519:15:07
Debian Security Bug Tracker
security-tracker.debian.org
38
tinymce
mutation cross-site scripting
html standard
undo/redo
security patch
upgrade
vulnerability

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

OSVersionArchitecturePackageVersionFilename
Debian10alltinymce<= 3.4.8+dfsg0-2tinymce_3.4.8+dfsg0-2_all.deb

Related

prion 1
cve 1
veracode 1
osv 2
ibm 2
github 1
ubuntucve 1
freebsd 1
nessus 1
cvelist 1
nvd 1
prion
prion
Cross site scripting
2023-11-15 19:15:00
cve
cve
CVE-2023-48219
2023-11-15 19:15:07
veracode
veracode
Mutation Cross-Site Scripting (mXSS)
2023-11-16 09:53:14
osv
osv
CVE-2023-48219
2023-11-15 19:15:07
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
2023-11-15 18:32:34
ibm
ibm
Security Bulletin: IBM Maximo Application Suite uses tinymce-5.10.8.tgz which is vulnerable to CVE-2023-48219
2024-02-06 10:00:04
Security Bulletin: There is a vulnerability in tinymce-6.7.1.min.js used by IBM Maximo Asset Management application (CVE-2023-48219)
2024-03-12 20:56:49
github
github
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
2023-11-15 18:32:34
ubuntucve
ubuntucve
CVE-2023-48219
2023-11-15 00:00:00
freebsd
freebsd
TinyMCE -- mXSS in multiple plugins
2023-11-15 00:00:00
nessus
nessus
FreeBSD : TinyMCE -- mXSS in multiple plugins (9532a361-b84d-11ee-b0d7-84a93843eb75)
2024-01-24 00:00:00
cvelist
cvelist
CVE-2023-48219 Special characters in unescaped text nodes can trigger mXSS in TinyMCE
2023-11-15 18:59:03
nvd
nvd
CVE-2023-48219
2023-11-15 19:15:07

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON
Related for DEBIANCVE:CVE-2023-48219
prion1cve1veracode1osv2ibm2github1ubuntucve1freebsd1nessus1cvelist1nvd1