Lucene search

Veracode Vulnerability DatabaseVERACODE:44298

HistoryNov 16, 2023 - 9:53 a.m.

Mutation Cross-Site Scripting (mXSS)

2023-11-1609:53:14

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

tinymce

vulnerability

mutation

cross-site scripting

sanitization

text nodes

attacker

malicious scripts

software

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

20.6%

JSON

tinymce is vulnerable to mutation cross-site scripting (mXSS). The vulnerability is caused due to lack of sanitization in handling of text nodes.This could allow an attacker to inject malicious scripts.

References

github.com/tinymce/tinymce/commit/751e35f1419a6a060ded397dda1b2945bacaa711

github.com/tinymce/tinymce/commit/c8b267c6df01e0aabfe689a867ab936b1d21f50b

github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8

tiny.cloud/docs/release-notes/release-notes5109/

tiny.cloud/docs/tinymce/6/6.7.3-release-notes/

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

20.6%

JSON

Related for VERACODE:44298