Closed mend-bolt-for-github[bot] closed 2 years ago
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.
Vulnerable Library - source_editor-3.5.8.js
TinyMCE rich text editor
Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/3.5.8/themes/advanced/js/source_editor.js
Path to dependency file: /serviciosacademicos/consulta/facultades/materiasgrupos/contenidoprogramatico/jscripts/tiny_mce/themes/advanced/source_editor.htm
Path to vulnerable library: /serviciosacademicos/consulta/facultades/materiasgrupos/contenidoprogramatico/jscripts/tiny_mce/themes/advanced/js/source_editor.js,/serviciosacademicos/educacionContinuada/tinyMCE/jscripts/tiny_mce/themes/advanced/js/source_editor.js
Found in HEAD commit: 55981b26768d3a373b40e633877c97864c2de48f
Vulnerabilities
Details
CVE-2020-12648
### Vulnerable Library - source_editor-3.5.8.jsTinyMCE rich text editor
Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/3.5.8/themes/advanced/js/source_editor.js
Path to dependency file: /serviciosacademicos/consulta/facultades/materiasgrupos/contenidoprogramatico/jscripts/tiny_mce/themes/advanced/source_editor.htm
Path to vulnerable library: /serviciosacademicos/consulta/facultades/materiasgrupos/contenidoprogramatico/jscripts/tiny_mce/themes/advanced/js/source_editor.js,/serviciosacademicos/educacionContinuada/tinyMCE/jscripts/tiny_mce/themes/advanced/js/source_editor.js
Dependency Hierarchy: - :x: **source_editor-3.5.8.js** (Vulnerable Library)
Found in HEAD commit: 55981b26768d3a373b40e633877c97864c2de48f
Found in base branch: master
### Vulnerability DetailsA cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.
Publish Date: 2020-08-14
URL: CVE-2020-12648
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12648
Release Date: 2020-08-17
Fix Resolution: 4.9.11,5.4.1
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)