CVE-2024-21908 – tinymce
Package
Manager: nuget
Name: tinymce
Vulnerable Version: >=0 <5.9.0 || >=0 <5.9.0
Severity
Level: Medium
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
EPSS: 0.00365 pctl0.57703
Details
Cross-site scripting vulnerability in TinyMCE ### Impact A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.9.0 or higher - Manually sanitize the content using the `BeforeSetContent` event (see below) #### Example: Manually sanitize content ```js editor.on('BeforeSetContent', function(e) { var sanitizedContent = ...; // Manually sanitize content here e.content = sanitizedContent; }); ``` ### Acknowledgements Tiny Technologies would like to thank William Bowling for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes ### For more information If you have any questions or comments about this advisory: * Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud) * Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)
Metadata
Created: 2021-10-22T16:24:02Z
Modified: 2024-01-03T22:34:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-5h9g-x5rv-25wg/GHSA-5h9g-x5rv-25wg.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-5h9g-x5rv-25wg
Finding: F008
Auto approve: 1