TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

2024-06-1915:07:03

Google

osv.dev

tinymce

cross-site scripting

vulnerability

noscript

patched

upgrade

lts

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 7.2.0 or higher.
Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.

References

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]
Open an issue in the TinyMCE repo

CPENameOperatorVersion
tinymceeq4.5.5
tinymceeq5.6.2
tinymce/tinymceeq4.3.13
tinymceeq4.0.10
tinymce/tinymceeq4.3.7
tinymce/tinymceeq6.6.0
tinymceeq5.1.5
tinymce/tinymceeq4.3.10
tinymce/tinymceeq4.0.20
tinymce/tinymceeq5.0.14

Name	Operator	Version
tinymce	eq	4.5.5
tinymce	eq	5.6.2
tinymce/tinymce	eq	4.3.13
tinymce	eq	4.0.10
tinymce/tinymce	eq	4.3.7
tinymce/tinymce	eq	6.6.0
tinymce	eq	5.1.5
tinymce/tinymce	eq	4.3.10
tinymce/tinymce	eq	4.0.20
tinymce/tinymce	eq	5.0.14