TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48219 - Medium Severity Vulnerability
Library home page: https://registry.npmjs.org/tinymce/-/tinymce-6.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tinymce/package.json
Dependency Hierarchy: - tinymce-react-4.3.0.tgz (Root Library) - :x: **tinymce-6.3.1.tgz** (Vulnerable Library)
Found in base branch: main
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-11-15
URL: CVE-2023-48219
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8
Release Date: 2023-11-15
Fix Resolution (tinymce): 6.7.3
Direct dependency fix Resolution (@tinymce/tinymce-react): 4.3.1-feature.20230124174746421.sha998862c
Step up your Open Source Security Game with Mend here