ghsa-9hcv-j9pv-qmph
Vulnerability from github
Published
2024-06-19 15:07
Modified
2024-07-05 21:34
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Details
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp
option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp
option, any content within an attribute is properly verified to match the configured regular expression before being added.
Fix
To avoid this vulnerability:
- Upgrade to TinyMCE 7.2.0 or higher.
- Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
- Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
References
For more information
If you have any questions or comments about this advisory:
- Email us at infosec@tiny.cloud
- Open an issue in the TinyMCE repo
{ "affected": [ { "package": { "ecosystem": "npm", "name": "tinymce" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5.11.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "TinyMCE" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5.11.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Packagist", "name": "tinymce/tinymce" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5.11.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "tinymce" }, "ranges": [ { "events": [ { "introduced": "6.0.0" }, { "fixed": "6.8.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "tinymce" }, "ranges": [ { "events": [ { "introduced": "7.0.0" }, { "fixed": "7.2.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "TinyMCE" }, "ranges": [ { "events": [ { "introduced": "6.0.0" }, { "fixed": "6.8.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "TinyMCE" }, "ranges": [ { "events": [ { "introduced": "7.0.0" }, { "fixed": "7.2.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Packagist", "name": "tinymce/tinymce" }, "ranges": [ { "events": [ { "introduced": "6.0.0" }, { "fixed": "6.8.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Packagist", "name": "tinymce/tinymce" }, "ranges": [ { "events": [ { "introduced": "7.0.0" }, { "fixed": "7.2.0" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 4.0.0" }, "package": { "ecosystem": "PyPI", "name": "django-tinymce" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "4.1.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-38356" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-06-19T15:07:08Z", "nvd_published_at": "2024-06-19T20:15:11Z", "severity": "MODERATE" }, "details": "### Impact\nA [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE\u2019s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added.\n\n### Fix\nTo avoid this vulnerability:\n\n* Upgrade to TinyMCE 7.2.0 or higher.\n* Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.\n* Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial [long-term support](https://www.tiny.cloud/long-term-support/) contract).\n\n### References\n* [TinyMCE 6.8.4](https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview)\n* [TinyMCE 7.2.0](https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc)", "id": "GHSA-9hcv-j9pv-qmph", "modified": "2024-07-05T21:34:57Z", "published": "2024-06-19T15:07:08Z", "references": [ { "type": "WEB", "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38356" }, { "type": "WEB", "url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d" }, { "type": "WEB", "url": "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0" }, { "type": "PACKAGE", "url": "https://github.com/tinymce/tinymce" }, { "type": "WEB", "url": "https://owasp.org/www-community/attacks/xss" }, { "type": "WEB", "url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview" }, { "type": "WEB", "url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" }, { "type": "WEB", "url": "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L", "type": "CVSS_V4" } ], "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.