Lucene search

K

Tinymce Security Vulnerabilities

cve
cve

CVE-2024-29881

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload. This vulnerability...

4.3CVSS

4.2AI Score

0.0004EPSS

2024-03-26 02:15 PM
38
cve
cve

CVE-2024-29203

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-03-26 02:15 PM
32
cve
cve

CVE-2023-48219

TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text...

6.1CVSS

5.7AI Score

0.001EPSS

2023-11-15 07:15 PM
58
cve
cve

CVE-2023-2967

The TinyMCE Custom Styles WordPress plugin before 1.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

4.8CVSS

4.7AI Score

0.001EPSS

2023-07-10 04:15 PM
8
cve
cve

CVE-2023-45819

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully...

6.1CVSS

6AI Score

0.001EPSS

2023-10-19 10:15 PM
32
cve
cve

CVE-2023-45818

TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions...

6.1CVSS

5.7AI Score

0.001EPSS

2023-10-19 10:15 PM
40
cve
cve

CVE-2023-23995

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tim Reeves & David Stöckl TinyMCE Custom Styles plugin <= 1.1.2...

5.9CVSS

4.8AI Score

0.0005EPSS

2023-04-25 08:15 PM
17
cve
cve

CVE-2022-23494

tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which...

6.1CVSS

6AI Score

0.002EPSS

2022-12-08 10:15 PM
65
cve
cve

CVE-2014-3844

The TinyMCE Color Picker plugin before 1.2 for WordPress does not properly check permissions, which allows remote attackers to modify plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party...

6.9AI Score

0.002EPSS

2022-10-03 04:20 PM
18
cve
cve

CVE-2014-3845

Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third...

7.4AI Score

0.001EPSS

2022-10-03 04:20 PM
16
cve
cve

CVE-2011-4825

Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted...

7.3AI Score

0.969EPSS

2022-10-03 04:15 PM
40
cve
cve

CVE-2022-1217

The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHP_SELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site...

6.1CVSS

6.2AI Score

0.001EPSS

2022-05-16 03:15 PM
54
5
cve
cve

CVE-2019-1010091

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed...

6.1CVSS

6.3AI Score

0.001EPSS

2019-07-17 05:15 PM
38
cve
cve

CVE-2012-4230

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea...

6.8AI Score

0.002EPSS

2014-04-25 02:15 PM
29
cve
cve

CVE-2012-3414

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the...

5.5AI Score

0.034EPSS

2013-07-19 02:36 PM
113
cve
cve

CVE-2013-2204

moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash...

6.5AI Score

0.006EPSS

2013-07-08 08:55 PM
37
cve
cve

CVE-2012-6112

classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote...

6.6AI Score

0.006EPSS

2013-01-27 10:55 PM
26