CVE-2024-38356

2024-06-1900:00:00

ubuntu.com

tinymce

xss

vulnerability

patched

version 7.2.0

6.8.4

5.11.0

upgrade

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.2

Confidence

High

JSON

TinyMCE is an open source rich text editor. A cross-site scripting (XSS)
vulnerability was discovered in TinyMCE’s content extraction code. When
using the noneditable_regexp option, specially crafted HTML attributes
containing malicious code were able to be executed when content was
extracted from the editor. This vulnerability has been patched in TinyMCE
7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using
the noneditable_regexp option, any content within an attribute is
properly verified to match the configured regular expression before being
added. Users are advised to upgrade. There are no known workarounds for
this vulnerability.

Notes

Author	Note
rodrigo-zaiden	roundcube includes tinymce source

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchroundcube< anyUNKNOWN
ubuntu20.04noarchroundcube< anyUNKNOWN
ubuntu22.04noarchroundcube< anyUNKNOWN
ubuntu24.04noarchroundcube< anyUNKNOWN
ubuntu16.04noarchroundcube< anyUNKNOWN
ubuntu18.04noarchtinymce< anyUNKNOWN
ubuntu20.04noarchtinymce< anyUNKNOWN
ubuntu16.04noarchtinymce< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	roundcube	< any	UNKNOWN
ubuntu	20.04	noarch	roundcube	< any	UNKNOWN
ubuntu	22.04	noarch	roundcube	< any	UNKNOWN
ubuntu	24.04	noarch	roundcube	< any	UNKNOWN
ubuntu	16.04	noarch	roundcube	< any	UNKNOWN
ubuntu	18.04	noarch	tinymce	< any	UNKNOWN
ubuntu	20.04	noarch	tinymce	< any	UNKNOWN
ubuntu	16.04	noarch	tinymce	< any	UNKNOWN