Ekimchau

Name of the Vulnerable Software and Affected Versions: TinyMCE versions prior to 5.11.0 LTS TinyMCE versions prior to 6.8.4 TinyMCE versions prior to 7.2.0 Description: A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. Recommendations: * Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x. * Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x. * Upgrade to TinyMCE 7.2.0 or higher for TinyMCE 7.x.

**Name of the Vulnerable Software and Affected Versions** TinyMCE versions prior to 6.8.1 **Description** A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. **Recommendations** For versions prior to 6.8.1, update to version 6.8.1 or later to fix the vulnerability. As a temporary workaround, consider configuring the HTTP Content-Security-Policy (CSP) `frame-src` or `object-src` to restrict or block the loading of unauthorized URLs. In TinyMCE 7.0.0 and later, the `sandbox iframes` option is enabled by default, which adds the `sandbox=""` attribute to every `iframe` element. To sandbox `iframe` elements from every domain, set the `sandbox iframes exclusions` option to `[]`.