CVE-2024-29881
- Source
- https://cve.org/CVERecord?id=CVE-2024-29881
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29881.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-29881
- Aliases
- Downstream
- Published
- 2024-03-26T13:31:15.375Z
- Modified
- 2026-04-02T10:09:38.060854Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
- Details
-
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an
objectorembedelement and that image could potentially contain a XSS payload. This vulnerability is fixed in 6.8.1 and 7.0.0. - Database specific
{ "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29881.json", "cna_assigner": "GitHub_M" }- References
-
- https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
- https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29881.json
- https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78
- https://nvd.nist.gov/vuln/detail/CVE-2024-29881
- https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
Affected packages
Git / github.com/tinymce/tinymce
Affected versions
6.*
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.3.0
7.4.0
7.4.1
7.5.0
7.5.1
7.6.0
7.6.1
7.7.0
7.7.1
7.7.2
7.8.0
7.9.0
7.9.1
7.9.2
8.*
8.0.0
8.0.1
8.0.2
8.1.0
8.1.1
8.1.2
8.2.0
8.2.1
8.2.2
8.3.0
8.3.1
8.3.2
8.4.0
@ephox/acid@6.*
@ephox/acid@6.0.2
@ephox/acid@6.0.3
@ephox/acid@7.*
@ephox/acid@7.0.0
@ephox/acid@8.*
@ephox/acid@8.0.0
@ephox/agar@10.*
@ephox/agar@10.0.0
@ephox/agar@8.*
@ephox/agar@8.0.1
@ephox/agar@9.*
@ephox/agar@9.0.0
@ephox/alloy@14.*
@ephox/alloy@14.0.2
@ephox/alloy@14.0.3
@ephox/alloy@15.*
@ephox/alloy@15.0.0
@ephox/alloy@16.*
@ephox/alloy@16.0.0
@ephox/boss@6.*
@ephox/boss@6.1.1
@ephox/boss@7.*
@ephox/boss@7.0.0
@ephox/boss@8.*
@ephox/boss@8.0.0
@ephox/boulder@7.*
@ephox/boulder@7.1.6
@ephox/boulder@8.*
@ephox/boulder@8.0.0
@ephox/boulder@9.*
@ephox/boulder@9.0.0
@ephox/bridge@4.*
@ephox/bridge@4.7.1
@ephox/bridge@5.*
@ephox/bridge@5.0.0
@ephox/bridge@6.*
@ephox/bridge@6.0.0
@ephox/darwin@10.*
@ephox/darwin@10.0.0
@ephox/darwin@8.*
@ephox/darwin@8.2.1
@ephox/darwin@9.*
@ephox/darwin@9.0.0
@ephox/dragster@7.*
@ephox/dragster@7.3.1
@ephox/dragster@8.*
@ephox/dragster@8.0.0
@ephox/dragster@9.*
@ephox/dragster@9.0.0
@ephox/jax@7.*
@ephox/jax@7.0.10
@ephox/jax@8.*
@ephox/jax@8.0.0
@ephox/jax@9.*
@ephox/jax@9.0.0
@ephox/katamari-assertions@4.*
@ephox/katamari-assertions@4.0.10
@ephox/katamari-assertions@5.*
@ephox/katamari-assertions@5.0.0
@ephox/katamari-assertions@6.*
@ephox/katamari-assertions@6.0.0
@ephox/katamari@10.*
@ephox/katamari@10.0.0
@ephox/katamari@11.*
@ephox/katamari@11.0.0
@ephox/katamari@9.*
@ephox/katamari@9.1.6
@ephox/mcagar@10.*
@ephox/mcagar@10.0.0
@ephox/mcagar@11.*
@ephox/mcagar@11.0.0
@ephox/mcagar@9.*
@ephox/mcagar@9.0.1
@ephox/phoenix@10.*
@ephox/phoenix@10.0.0
@ephox/phoenix@8.*
@ephox/phoenix@8.4.1
@ephox/phoenix@9.*
@ephox/phoenix@9.0.0
@ephox/polaris@6.*
@ephox/polaris@6.3.1
@ephox/polaris@7.*
@ephox/polaris@7.0.0
@ephox/polaris@8.*
@ephox/polaris@8.0.0
@ephox/porkbun@7.*
@ephox/porkbun@7.0.10
@ephox/porkbun@8.*
@ephox/porkbun@8.0.0
@ephox/porkbun@9.*
@ephox/porkbun@9.0.0
@ephox/robin@10.*
@ephox/robin@10.4.1
@ephox/robin@11.*
@ephox/robin@11.0.0
@ephox/robin@12.*
@ephox/robin@12.0.0
@ephox/sand@6.*
@ephox/sand@6.0.10
@ephox/sand@7.*
@ephox/sand@7.0.0
@ephox/sand@8.*
@ephox/sand@8.0.0
@ephox/snooker@11.*
@ephox/snooker@11.2.1
@ephox/snooker@12.*
@ephox/snooker@12.0.0
@ephox/snooker@13.*
@ephox/snooker@13.0.0
@ephox/sugar@10.*
@ephox/sugar@10.0.0
@ephox/sugar@11.*
@ephox/sugar@11.0.0
@ephox/sugar@9.*
@ephox/sugar@9.3.1
@tinymce/oxide-icons-default@2.*
@tinymce/oxide-icons-default@2.6.1
@tinymce/oxide-icons-default@3.*
@tinymce/oxide-icons-default@3.0.0
@tinymce/oxide-icons-default@4.*
@tinymce/oxide-icons-default@4.0.0
@tinymce/oxide@2.*
@tinymce/oxide@2.8.2
@tinymce/oxide@3.*
@tinymce/oxide@3.0.0
@tinymce/oxide@4.*
@tinymce/oxide@4.0.0
tinymce@6.*
tinymce@6.8.4