GHSA-9hcv-j9pv-qmph

Source

https://github.com/advisories/GHSA-9hcv-j9pv-qmph

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-9hcv-j9pv-qmph/GHSA-9hcv-j9pv-qmph.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9hcv-j9pv-qmph

Aliases

CVE-2024-38356

Published

2024-06-19T15:07:08Z

Modified

2024-07-05T22:14:12.893236Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L CVSS Calculator

Summary

TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Details

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 7.2.0 or higher.
Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

References

For more information

If you have any questions or comments about this advisory:

Email us at infosec@tiny.cloud
Open an issue in the TinyMCE repo

Database specific

{
    "nvd_published_at": "2024-06-19T20:15:11Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-19T15:07:08Z"
}

References

Affected packages

npm / tinymce

Package

Name: tinymce; View open source insights on deps.dev
Purl: pkg:npm/tinymce

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.11.0

NuGet / TinyMCE

Package

Name: TinyMCE; View open source insights on deps.dev
Purl: pkg:nuget/TinyMCE

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.11.0

Affected versions

3.*

3.4.3.2

3.4.4

3.4.5

3.4.7

3.5.0

3.5.0.1

3.5.1

3.5.1.1

3.5.2

3.5.3

3.5.4

3.5.4.1

3.5.5

3.5.6

3.5.7

3.5.8

4.*

4.0.0

4.0.1

4.0.2

4.0.4

4.0.5

4.0.6

4.0.8

4.0.9

4.0.10

4.0.11

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.18

4.0.19

4.0.20

4.0.21

4.0.22

4.0.23

4.0.24

4.0.25

4.0.26

4.0.27

4.0.28

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.3.12

4.3.13

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.7.0

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.7.8

4.7.9

4.7.10

4.7.11

4.7.12

4.7.13

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

4.9.10

4.9.11

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.5.0

5.5.1

5.6.0

5.6.1

5.6.2

5.7.0

5.7.1

5.8.0

5.8.1

5.8.2

5.9.0

5.9.1

5.9.2

5.10.0

5.10.1

5.10.2

5.10.3

5.10.4

5.10.5

5.10.6

5.10.7

5.10.8

5.10.9

Packagist / tinymce/tinymce

Package

Name: tinymce/tinymce
Purl: pkg:composer/tinymce/tinymce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.11.0

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.18

4.0.19

4.0.20

4.0.21

4.0.22

4.0.23

4.0.24

4.0.25

4.0.26

4.0.27

4.0.28

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.3.12

4.3.13

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.12

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.7.8

4.7.9

4.7.10

4.7.11

4.7.12

4.7.13

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

4.9.10

4.9.11

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.4.0

5.4.1

5.4.2

5.5.0

5.5.1

5.6.0

5.6.1

5.6.2

5.7.0

5.7.1

5.8.0

5.8.1

5.8.2

5.9.0

5.9.1

5.9.2

5.10.0

5.10.1

5.10.2

5.10.3

5.10.4

5.10.5

5.10.6

5.10.7

5.10.8

5.10.9

npm / tinymce

Package

Name: tinymce; View open source insights on deps.dev
Purl: pkg:npm/tinymce

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

6.8.4

npm / tinymce

Package

Name: tinymce; View open source insights on deps.dev
Purl: pkg:npm/tinymce

Affected ranges

Type: SEMVER
Events: Introduced

7.0.0

Fixed

7.2.0

NuGet / TinyMCE

Package

Name: TinyMCE; View open source insights on deps.dev
Purl: pkg:nuget/TinyMCE

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.8.4

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.1.0

6.1.1

6.1.2

6.2.0

6.3.0

6.3.1

6.3.2

6.4.0

6.4.1

6.4.2

6.5.0

6.5.1

6.6.2

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

6.8.2

6.8.3

NuGet / TinyMCE

Package

Name: TinyMCE; View open source insights on deps.dev
Purl: pkg:nuget/TinyMCE

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.2.0

Affected versions

7.*

7.0.0

7.0.1

7.1.0

7.1.1

7.1.2

Packagist / tinymce/tinymce

Package

Name: tinymce/tinymce
Purl: pkg:composer/tinymce/tinymce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.8.4

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.1.0

6.1.1

6.1.2

6.2.0

6.3.0

6.3.1

6.3.2

6.4.0

6.4.1

6.4.2

6.5.0

6.5.1

6.6.0

6.6.1

6.6.2

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

6.8.2

6.8.3

Packagist / tinymce/tinymce

Package

Name: tinymce/tinymce
Purl: pkg:composer/tinymce/tinymce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.2.0

Affected versions

7.*

7.0.0

7.0.1

7.1.0

7.1.1

7.1.2

PyPI / django-tinymce

Package

Name: django-tinymce; View open source insights on deps.dev
Purl: pkg:pypi/django-tinymce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.0

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.4.1

1.5

1.5.1.dev100

1.5.1.dev101

1.5.1a1

1.5.1a2

1.5.1a3

1.5.1b1

1.5.1b2

1.5.1b3

1.5.1b4

1.5.1

1.5.2

1.5.3

1.5.4

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.9.0

3.*

3.0.1

3.0.2

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.6.1

3.7.0

3.7.1

4.*

4.0.0

Database specific

{
    "last_known_affected_version_range": "<= 4.0.0"
}