@arkxio/ark-ui (>=0.1.0 <=0.1.18), @arkxio/ark-ui-src (=0.1.0) +38 more potentially affected by CVE-2024-38357 via tinymce (>=6.0.0 <=6.8.3)

tinymce NPM version =6.0.0, =0.1.0, =0.1.19, =0.1.0, =0.1.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.7 and more Source cves: CVE-2024-38357 Source advisory: OSV:GHSA-W9JX-4G6G-RP7X...

bpp-iplweb (>=202304.1100.0 <=202504.1174.0), django-saas-email (>=0.1.21 <=0.1.29) +8 more potentially affected by CVE-2024-38357 via django-tinymce (>=1.5.1b4 <=3.7.1)

django-tinymce PYPI version =1.5.1b4, =202304.1100.0, =0.1.21, =0.8.0, =3.3.3, =0.6.0, =0.1.3.2, =1.0.0b1, =0.3.0, =0.5.2 - zinnia-wysiwyg-tinymce =1.4.0 Source cves: CVE-2024-38357 Source advisory: OSV:GHSA-W9JX-4G6G-RP7X...

3h1-ui (>=3.0.0-liingyun.1 <=3.0.0-next.258), @abt-desk/apm (>=0.0.1 <=0.33.12) +1185 more potentially affected by CVE-2024-38357 via tinymce (>=4.5.1 <=5.10.9)

tinymce NPM version =4.5.1, =3.0.0-liingyun.1, =0.0.1, =0.1.0, =0.1.2, =0.3.7, =0.1.17, =0.1.0, =0.0.1, =1.0.0, =0.2.0-0, =1.0.18-beta.8, =1.0.0, =1.2.3-beta.1, =0.1.1, =0.1.11 and more Source cves: CVE-2024-38357 Source advisory: OSV:GHSA-W9JX-4G6G-RP7X...

@ifanrx/dashboard (>=0.1.1 <=1.3.0-alpha-20240730001), @ithinkdt/editor (>=3.4.11 <=3.5.0) +1 more potentially affected by CVE-2024-38357 via tinymce (>=7.0.1 <=7.1.2)

tinymce NPM version =7.0.1, =0.1.1, =3.4.11, =3.0.7, =3.4.0-5 Source cves: CVE-2024-38357 Source advisory: OSV:GHSA-W9JX-4G6G-RP7X...

GHSA-W9JX-4G6G-RP7X TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. Patches This vulnerability has been patched in TinyMCE 7.2.0,...

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS when parsing noscript elements in the editor. An attacker can bypass sanitization by placing malicious code in noscript elements. Details Cross-site...

Tiny Technologies TinyMCE Security Vulnerability

Tiny Technologies TinyMCE is a rich text editor from Tiny Technologies, USA. A security vulnerability exists in TinyMCE that stems from the presence of a cross-site scripting XSS vulnerability...

Tiny Technologies TinyMCE Security Vulnerability

Tiny Technologies TinyMCE is a rich text editor from Tiny Technologies, USA. A security vulnerability exists in Tiny Technologies TinyMCE that stems from the presence of a cross-site scripting XSS vulnerability that allows execution of malicious code when loading content into the editor...

PT-2024-7087

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.11.0 LTS TinyMCE versions prior to 6.8.4 TinyMCE versions prior to 7.2.0 Description A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript...

Security Bulletin: IBM Maximo Asset Management - There is a vulnerability in tinymce-6.7.3.min.js used by IBM Maximo Asset Management application (CVE-2024-29203)

Summary There is a vulnerability in tinymce-6.7.3.min.js used by IBM Maximo Asset Management application. Vulnerability Details CVEID:CVE-2024-29203 DESCRIPTION: TinyMCE is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the iframe elements. A remote...

Security Bulletin: Maximo Asset Management - There is a vulnerability in tinymce-6.7.3.min.js used by IBM Maximo Asset Management application (CVE-2024-29881)

Summary There is a vulnerability in tinymce-6.7.3.min.js used by IBM Maximo Asset Management application. CVE-2024-29881. Vulnerability Details CVEID:CVE-2024-29881 DESCRIPTION: TinyMCE is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the external SVG...

Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881

Impact The TineMCE Bundle uses tinymce version 6.7.3. CVEs for this version exists for 6.8.1: https://nvd.nist.gov/vuln/detail/CVE-2024-29203 https://nvd.nist.gov/vuln/detail/CVE-2024-29881 Patches The package should be updated to at least 6.8.1 to avoid XSS vulnerability. Workarounds Upgrade...

GHSA-VJWG-28GV-PM8H Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881

Impact The TineMCE Bundle uses tinymce version 6.7.3. CVEs for this version exists for 6.8.1: https://nvd.nist.gov/vuln/detail/CVE-2024-29203 https://nvd.nist.gov/vuln/detail/CVE-2024-29881 Patches The package should be updated to at least 6.8.1 to avoid XSS vulnerability. Workarounds Upgrade...

Cross-Site Scripting (XSS)

TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper SVG sanitization, which allows an attacker to inject a SVG payload though an object or embed element, which results in Cross-Site Scripting...

Cross-Site Scripting (XSS)

TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper iframe restrictions, which allows an attacker add an iframe element with malicious code which will execute upon insertion. Note that malicious code will be sandboxed due to same-origin browser protections...

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but...

3h1-ui (>=3.0.0-liingyun.1 <=3.0.0-next.258), @abt-desk/apm (>=0.0.1 <=0.33.12) +1306 more potentially affected by CVE-2024-29203 via tinymce (>=4.5.1 <=6.7.3)

tinymce NPM version =4.5.1, =3.0.0-liingyun.1, =0.0.1, =0.1.0, =0.1.2, =0.3.7, =0.1.7, =0.1.0, =0.0.1, =1.0.0, =0.2.0-0, =1.0.18-beta.8, =1.0.0, =1.2.3-beta.1, =0.1.1, =0.1.11 and more Source cves: CVE-2024-29203 Source advisory: OSV:GHSA-438C-3975-5X3F...

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload. Fix TinyMCE 6.8.1 introduced a new convertunsafeembeds opti...

17fe-ui23 (>=0.0.0 <=0.0.24), 3h1-ui (>=3.0.0-liingyun.1 <=3.0.0-next.258) +1770 more potentially affected by CVE-2024-29881 via tinymce (>=4.5.1 <=6.8.6)

tinymce NPM version =4.5.1, =0.0.0, =3.0.0-liingyun.1, =0.0.1, =12.1.0, =0.0.1, =0.1.0, =4.1.0, =1.0.0-beta.1, =4.1.2-rc, =1.0.0, =0.1.2, =0.3.7, =0.1.7, =0.3.0 and more Source cves: CVE-2024-29881 Source advisory: OSV:GHSA-5359-PVF2-PW78...

GHSA-5359-PVF2-PW78 TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload. Fix TinyMCE 6.8.1 introduced a new convertunsafeembeds opti...