CVE-2019-1010091

Name of the Vulnerable Software and Affected Versions: tinymce versions 4.7.11 through 4.9.9 tinymce versions 5.2.1 and earlier

Description: The issue allows for JavaScript code execution due to improper neutralization of input during web page generation, specifically affecting the Media element component. This can be exploited when a victim pastes malicious content into the media element's embed tab. The vulnerability impacts users of tinymce 4.9.9 or lower and 5.2.1 or lower, allowing for arbitrary JavaScript execution when inserting specially crafted content into the editor.

Recommendations: For tinymce versions 4.7.11 through 4.9.9, upgrade to version 4.9.10. For tinymce versions 5.2.1 and earlier, upgrade to version 5.2.2. As a temporary workaround, consider disabling the media plugin and manually sanitizing CDATA content by removing CDATA elements using a node filter, such as the provided example: setup: function(editor) { editor.on('PreInit', function() { editor.parser.addNodeFilter('#cdata', function(nodes) { for (var i = 0; i < nodes.length; i++) { nodes[i].remove(); } }); }); }