GHSA-h96f-fc7c-9r55 – tinymce

Package

Manager: npm
Name: tinymce
Vulnerable Version: >=0 <5.6.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Regex denial of service vulnerability in codesample plugin ### Impact A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the `codesample` plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the `codesample` plugin using TinyMCE 5.5.1 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.6.0 or higher - Disable the `codesample` plugin - Disable ruby code samples using the [codesample_languages](https://www.tiny.cloud/docs/plugins/opensource/codesample/#exampleusingcodesample_languages) setting - Override the PrismJS syntax highlighter to version 1.21.0 or higher using the [codesample_global_prismjs](https://www.tiny.cloud/docs/plugins/opensource/codesample/#codesample_global_prismjs) setting ### Acknowledgements Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes ### For more information If you have any questions or comments about this advisory: * Open an issue in the [TinyMCE repo](http://github.com/tinymce/tinymce/issues) * Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)

Metadata

Created: 2021-01-06T19:25:46Z
Modified: 2021-01-06T19:25:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-h96f-fc7c-9r55/GHSA-h96f-fc7c-9r55.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F002
Auto approve: 1