6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.7%
TinyMCE is vulnerable to Cross-site Scripting (XSS). The vulnerability occurs when an HTML snippet is restored from the undo stack. In this situation, a combination of string manipulation and reparative parsing by the browser’s native DomParser
API results in malicious mutations to the HTML. This, in turn, allows an XSS payload to be executed when using functions such as undo/redo, the getContent
API with the format: 'raw'
option, the resetContent
API, and the Autosave
plugin.
github.com/tinymce/tinymce-dist/commit/b1ddb5ec9b0c7f5d542429a044bd303648d2d647
github.com/tinymce/tinymce-dist/commit/b9c50833d455adcf5ae89a6da7648ae5d65468df
github.com/tinymce/tinymce/commit/0aa56610cf3d0bf247b06da0b7124568b695b551
github.com/tinymce/tinymce/commit/1365f04567c6a57dbe6348674b1776c3e110346a
github.com/tinymce/tinymce/security/advisories/GHSA-v65r-p3vv-jjfv
researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations
tiny.cloud/docs/release-notes/release-notes5108/#securityfixes
tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes
www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser/
www.tiny.cloud/docs/release-notes/release-notes5108/#securityfixes
www.tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes