TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1.
CVE-2024-29203 - Medium Severity Vulnerability
Vulnerable Library - tinymce-6.3.1.tgz
Library home page: https://registry.npmjs.org/tinymce/-/tinymce-6.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tinymce/package.json
Dependency Hierarchy: - tinymce-react-4.3.0.tgz (Root Library) - :x: **tinymce-6.3.1.tgz** (Vulnerable Library)
Found in base branch: main
Vulnerability Details
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1.
Publish Date: 2024-03-26
URL: CVE-2024-29203
CVSS 3 Score Details (4.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f
Release Date: 2024-03-26
Fix Resolution (tinymce): 6.8.1
Direct dependency fix Resolution (@tinymce/tinymce-react): 4.3.1-feature.20230124174746421.sha998862c
Step up your Open Source Security Game with Mend here