CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object
or embed
element and that image could potentially contain a XSS payload.
TinyMCE 6.8.1 introduced a new convert_unsafe_embeds
option to automatically convert object
and embed
elements respective of their type
attribute. From TinyMCE 7.0.0 onwards, the convert_unsafe_embeds
option is enabled by default.
If you are using TinyMCE 6.8.1 or higher, set convert_unsafe_embeds
to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify any object
or embed
elements. This can be added using the editor.parser.addNodeFilter
and editor.serializer.addNodeFilter
APIs.
Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.
github.com/advisories/GHSA-5359-pvf2-pw78
github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78
nvd.nist.gov/vuln/detail/CVE-2024-29881
www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%