Description

TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

Remediation

References

https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95

https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes

Related Vulnerabilities

CVE-2021-21615 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-28443 Vulnerability in npm package directus

CVE-2020-16044 Vulnerability in maven package org.webjars.npm:electron

CVE-2022-41934 Vulnerability in maven package org.xwiki.platform:xwiki-platform-menu-ui

CVE-2017-16006 Vulnerability in maven package org.webjars.bower:remarkable

Severity

High

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Exploit Release Notes Third Party Advisory Vendor Advisory