tinymce is vulnerable to cross-site scripting. The vulnerability exists in pBodyMessage
function of Dialog.ts
due to lack of sanitization in alert and confirm messages which allows an attacker to inject and execute malicious JavaScript.
github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e
github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d
github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92
www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes
www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes
www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler