Описание
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.
Fix
To avoid this vulnerability:
- Upgrade to TinyMCE 7.2.0 or higher.
- Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
- Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
Acknowledgements
Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.
References
For more information
If you have any questions or comments about this advisory:
- Email us at infosec@tiny.cloud
- Open an issue in the TinyMCE repo
Ссылки
- https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x
- https://nvd.nist.gov/vuln/detail/CVE-2024-38357
- https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d
- https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0
- https://owasp.org/www-community/attacks/xss
- https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview
- https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview
Пакеты
tinymce
< 5.11.0
5.11.0
TinyMCE
< 5.11.0
5.11.0
tinymce/tinymce
< 5.11.0
5.11.0
tinymce
>= 6.0.0, < 6.8.4
6.8.4
tinymce
>= 7.0.0, < 7.2.0
7.2.0
TinyMCE
>= 6.0.0, < 6.8.4
6.8.4
TinyMCE
>= 7.0.0, < 7.2.0
7.2.0
tinymce/tinymce
>= 6.0.0, < 6.8.4
6.8.4
tinymce/tinymce
>= 7.0.0, < 7.2.0
7.2.0
django-tinymce
<= 4.0.0
4.1.0
Связанные уязвимости
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.
TinyMCE is an open source rich text editor. A cross-site scripting (XS ...
Уязвимость редактора форматированного текста TinyMCE, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)