Toni Huttunen

**Name of the Vulnerable Software and Affected Versions** TinyMCE versions prior to 6.8.1 TinyMCE versions prior to 7.0.0 **Description** A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload. **Recommendations** For versions prior to 6.8.1, a custom NodeFilter is recommended to remove or modify any `object` or `embed` elements. This can be added using the `editor.parser.addNodeFilter` and `editor.serializer.addNodeFilter` APIs. For versions 6.8.1 and higher, set `convert unsafe embeds` to true. For any earlier versions, consider temporarily disabling the use of `object` and `embed` elements until a patch is available.

Name of the Vulnerable Software and Affected Versions: Shibboleth Service Provider versions prior to 3.2.1 Description: The issue allows content injection due to template generation using attacker-controlled parameters. This enables potential attackers to inject malicious content. Recommendations: For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to template generation features until a patch is applied. Avoid using attacker-controlled parameters in template generation until the issue is resolved.