GHSA-mh5m-5hw4-5c69HighCVSS 8.7
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
🔗 CVE IDs covered (1)
📋 Description
Impact
TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.
Patches
This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later.
Workarounds
No official workaround available.
Acknowledgements
Tiny thanks maple3142 (https://maple3142.net) of DEVCORE for their help identifying this vulnerability.
References
Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.
🎯 Affected products3
- npm/tinymce:>= 6.8.0, < 7.1.0
- nuget/TinyMCE:>= 6.8.0, < 7.1.0
- composer/tinymce/tinymce:>= 6.8.0, < 7.1.0