CVE-2024-21908

描述

### Impact A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.9.0 or higher - Manually sanitize the content using the `BeforeSetContent` event (see below) #### Example: Manually sanitize content ```js editor.on('BeforeSetContent', function(e) { var sanitizedContent = ...; // Manually sanitize content here e.content = sanitizedContent; }); ``` ### Acknowledgements Tiny Technologies would like to thank William Bowling for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) * Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)

受影響套件(3)

• npm/tinymcefrom 0, < 5.9.0
• NuGet/TinyMCEfrom 0, < 5.9.0
• Packagist/tinymce/tinymcefrom 0, < 5.9.0

CVSS 分數

參考連結(3)

• PATCHhttps://github.com/tinymce/tinymce
• WEBhttps://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg
• WEBhttps://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes