CVE-2024-29203
- Source
- https://cve.org/CVERecord?id=CVE-2024-29203
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29203.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-29203
- Aliases
- Downstream
- Published
- 2024-03-26T13:23:53.673Z
- Modified
- 2026-03-14T12:33:49.489286Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
- Details
-
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed
iframeelements containing malicious code to execute when inserted into the editor. Theseiframeelements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29203.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29203.json
- https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
- https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f
- https://nvd.nist.gov/vuln/detail/CVE-2024-29203
- https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
- https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true