TinyMCE Custom Styles < 1.1.3 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross-site Scripting (XSS)

tinymce is vulnerable to cross-site scripting. The vulnerability exists in pBodyMessage function of Dialog.ts due to lack of sanitization in alert and confirm messages which allows an attacker to inject and execute malicious JavaScript...

@agentlab/ldkg-ui-basetable (=0.1.1), @agentlab/ldkg-ui-charts (>=0.1.2 <=0.1.7) +327 more potentially affected by CVE-2022-23494 via tinymce (>=4.5.1 <=5.10.5)

tinymce NPM version =4.5.1, =0.1.2, =0.3.7, =0.1.17, =1.0.0, =1.0.0, =1.33.0, =1.0.0-alpha.39-baliz, =4.3.0, =0.5.0, =0.1.0, =0.0.4, =0.1.2, =0.8.4, =0.8.5 and more Source cves: CVE-2022-23494 Source advisory: OSV:GHSA-GG8R-XJWQ-4W92...

GHSA-GG8R-XJWQ-4W92 Cross-site scripting vulnerability in TinyMCE alerts

Impact A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain...

@weedx/components (=0.0.1-beta), acmcoder-ui (>=1.0.2 <=1.0.11) +8 more potentially affected by CVE-2022-23494 via tinymce (>=6.0.0 <=6.2.0)

tinymce NPM version =6.0.0, =1.0.2, =1.0.96, =0.0.19, =1.0.0, =0.70.4, =1.0.6, =0.0.2, =0.0.5 Source cves: CVE-2022-23494 Source advisory: OSV:GHSA-GG8R-XJWQ-4W92...

Cross-site scripting vulnerability in TinyMCE alerts

Impact A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain...

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occu...

CVE-2022-23494

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

UBUNTU-CVE-2022-23494

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

CVE-2022-23494

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

Cross site scripting

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

CVE-2022-23494 Cross-site scripting vulnerability in TinyMCE alerts

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

CVE-2022-23494

Removed by vendor...

CVE-2022-23494 Cross-site scripting vulnerability in TinyMCE alerts

tinymce is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

CVE-2022-23494

Summary (CVE-2022-23494): TinyMCE (open source rich text editor) suffers a cross-site scripting (XSS) vulnerability in alert/confirm dialogs when provided with malicious HTML, potentially allowing arbitrary JavaScript execution in the current user’s browser. Affected versions clock to TinyMCE 5.x...

PT-2022-20160 · Tinymce +1 · Tinymce +1

Name of the Vulnerable Software and Affected Versions: asith-eranga ISIC tour booking versions through the version published on Feb 13th 2018 Description: The issue allows attackers to upload arbitrary files via "/system/application/libs/js/tinymce/plugins/filemanager/dialog.php" and...

laravel-filemanager 路径遍历漏洞

laravel-filemanager is a file upload/editor for Laravel 5 through 6 and CKEditor / TinyMCE. A path traversal vulnerability exists in versions of laravel-filemanager prior to 2.5.1, which stems from the fact that it allows reading arbitrary files by traversing directories via special URLs...

GHSA-95QR-67RX-9PGH Umbraco CMS vulnerable to stored XSS

A stored XSS vulnerability exists in Umbraco CMS = 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS...

Umbraco CMS vulnerable to stored XSS

A stored XSS vulnerability exists in Umbraco CMS = 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS...

GHSA-3CCX-7588-R6C6 Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to edit Product information via the TinyMCE editor...