Cross-site Scripting (XSS)

2024-01-0410:26:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

tinymce

xss

vulnerability

iframe

object

embed

url

attribute

javascript execution

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.3%

JSON

tinymce is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of proper sanitization for iframe, object and embed URL attributes within the TinyMCE’s core parser. This allows an attacker to insert a specially crafted piece of content into the editor using the clipboard or APIs which potentially leads to arbitrary JavaScript execution (XSS).

CPENameOperatorVersion
tinymcele5.5.1
tinymcele5.5.1
tinymce/tinymcele5.5.1
tinymcele5.0.9
tinymcele5.4.2
tinymcele5.5.1
tinymcele5.5.1
tinymcele5.5.1
tinymce/tinymcele5.5.1
tinymcele5.0.9

Name	Operator	Version
tinymce	le	5.5.1
tinymce	le	5.5.1
tinymce/tinymce	le	5.5.1
tinymce	le	5.0.9
tinymce	le	5.4.2
tinymce	le	5.5.1
tinymce	le	5.5.1
tinymce	le	5.5.1
tinymce/tinymce	le	5.5.1
tinymce	le	5.0.9