CVE-2022-23494 seems to affect tinyMCE versions <5, and mosaico currently uses tinyMCE v4.9.11 as default. #644 added support for newer tinyMCE versions and, indeed, I could just npm install tinymce@5 and then use grunt build(with a few gruntfile changes) to create a mosaico distribution that uses tinyMCE 5.10.7 instead of the vulnerable 4.9.
However, package.json.NOTES state
tinymce is "locked" to 4.9.x because our skin, build code, and css overrides
still rely on 4.x.
Are there any plans of updating mosaico to ship with tinyMCE 5 by default? Or maybe a separate branch? Is current mosaico even vulnerable to CVE-2022-23494 due to the underlying tinyMCE?
CVE-2022-23494 seems to affect tinyMCE versions <5, and mosaico currently uses tinyMCE v4.9.11 as default. #644 added support for newer tinyMCE versions and, indeed, I could just
npm install tinymce@5
and then usegrunt build
(with a few gruntfile changes) to create a mosaico distribution that uses tinyMCE 5.10.7 instead of the vulnerable 4.9.However, package.json.NOTES state
Are there any plans of updating mosaico to ship with tinyMCE 5 by default? Or maybe a separate branch? Is current mosaico even vulnerable to CVE-2022-23494 due to the underlying tinyMCE?
What's the status on this?