Описание
Regex denial of service vulnerability in codesample plugin
Impact
A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.
Patches
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.
Workarounds
To work around this vulnerability, either:
- Upgrade to TinyMCE 5.6.0 or higher
- Disable the
codesampleplugin - Disable ruby code samples using the codesample_languages setting
- Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting
Acknowledgements
Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
For more information
If you have any questions or comments about this advisory:
- Open an issue in the TinyMCE repo
- Email us at infosec@tiny.cloud
Пакеты
tinymce
< 5.6.0
5.6.0