BSteelooper
commented
6 years ago Updated tineMCE to version 4.7.9 wich solves this issue. See pull request #49
Closed Alyssa-o-Herrera closed 6 years ago
BSteelooper
commented
6 years ago Updated tineMCE to version 4.7.9 wich solves this issue. See pull request #49
Hey I noticed you're using an outdated version of MoxiePlayer which is allowing Content spoofing. https://github.com/pluck-cms/pluck/blob/master/data/modules/tinymce/lib/plugins/media/moxieplayer.swf Proof of concept: website.com/data/modules/tinymce/lib/plugins/media/moxieplayerswf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true An attacker simply use a victim's website to play videos which could damage the website's reputation, i.e terrorist propaganda or shock content.