CVE-2024-38356 – django-tinymce

Package

Manager: pip
Name: django-tinymce
Vulnerable Version: >=0 <4.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L

EPSS: 0.00506 pctl0.65272

Details

TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option ### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. ### Patches This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added. ### Fix To avoid this vulnerability: * Upgrade to TinyMCE 7.2.0 or higher. * Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x. * Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial [long-term support](https://www.tiny.cloud/long-term-support/) contract). ### References * [TinyMCE 6.8.4](https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview) * [TinyMCE 7.2.0](https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview) ### For more information If you have any questions or comments about this advisory: * Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud) * Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc)

Metadata

Created: 2024-06-19T15:07:08Z
Modified: 2024-07-05T21:34:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-9hcv-j9pv-qmph/GHSA-9hcv-j9pv-qmph.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9hcv-j9pv-qmph
Finding: F008
Auto approve: 1