CVE-2024-21908
MEDIUM6.1EPSS 0.52%Cross-site scripting vulnerability in TinyMCE
Description
### Impact A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.9.0 or higher - Manually sanitize the content using the `BeforeSetContent` event (see below) #### Example: Manually sanitize content ```js editor.on('BeforeSetContent', function(e) { var sanitizedContent = ...; // Manually sanitize content here e.content = sanitizedContent; }); ``` ### Acknowledgements Tiny Technologies would like to thank William Bowling for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) * Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)
Affected packages (3)
- npm/tinymcefrom 0, < 5.9.0
- NuGet/TinyMCEfrom 0, < 5.9.0
- Packagist/tinymce/tinymcefrom 0, < 5.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |