logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-21911 tinymce

Package

Manager: nuget
Name: tinymce
Vulnerable Version: >=0 <5.6.0 || >=0 <5.6.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00824 pctl0.73573

Details

Cross-site scripting vulnerability in TinyMCE ### Impact A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.6.0 by improved URL sanitization logic. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.6.0 or higher - Manually sanitize `iframe`, `object` and `embed` URL attributes using a [TinyMCE node filter](https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.domparser/#addnodefilter). - Disable `iframe`, `object`, and `embed` elements in your content using the [invalid_elements](https://www.tiny.cloud/docs/configure/content-filtering/#invalid_elements) setting. #### Example: Sanitizing using a node filter ```js editor.parser.addNodeFilter('iframe,object,embed', function(nodes) { nodes.forEach(function(node) { if (node.attributes) { node.attributes.forEach(function(attr) { var name = attr.name; var value = attr.value; // Sanitize the attribute value here or remove it entirely var sanitizedValue = ...; node.attr(name, santizedValue); }); } }); }); ``` #### Example: Using invalid_elements ```js invalid_elements: 'iframe,object,embed' ``` ### Acknowledgements Tiny Technologies would like to thank Aaron Bishop at SecurityMetrics for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes ### For more information If you have any questions or comments about this advisory: * Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues) * Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)

Metadata

Created: 2021-01-06T19:27:54Z
Modified: 2024-01-03T22:31:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-w7jx-j77m-wp65/GHSA-w7jx-j77m-wp65.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-w7jx-j77m-wp65
Finding: F008
Auto approve: 1