Home
HIGH: 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
affected
>= 6.0.0, <= 6.8.6
affected
>= 7.0.0, < 7.9.3
affected
>= 8.0.0, < 8.5.1
affected
Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Problem types
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
>= 6.0.0, <= 6.8.6
>= 7.0.0, < 7.9.3
>= 8.0.0, < 8.5.1
References
github.com/...inymce/security/advisories/GHSA-q742-qvgc-gc2f
www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/
www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/