Home
HIGH: 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
affected
>= 6.0.0, <= 6.8.6
affected
>= 7.0.0, < 7.9.3
affected
>= 8.0.0, < 8.5.1
affected
Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Problem types
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
>= 6.0.0, <= 6.8.6
>= 7.0.0, < 7.9.3
>= 8.0.0, < 8.5.1
References
github.com/...inymce/security/advisories/GHSA-vg35-5wq7-3x7w
www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/
www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/