CVE-2020-12648

Name of the Vulnerable Software and Affected Versions TinyMCE versions 4.9.10 and earlier TinyMCE versions 5.2.1 and earlier TinyMCE versions 5.4.0 and earlier

Description A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script when configured in classic editing mode. The vulnerability is in the core parser and allows arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs.

Recommendations For TinyMCE versions 4.9.10 and earlier, upgrade to TinyMCE 4.9.11. For TinyMCE versions 5.2.1 and earlier, upgrade to TinyMCE 5.4.1. For users who cannot upgrade immediately, enable the media plugin to override the default parsing behaviour for iframes. Alternatively, add a workaround to update the parsing schema rules for iframes by using the following code:

setup: function(editor) {
 editor.on('PreInit', function() {
  editor.schema.getSpecialElements()['iframe'] = /</iframe[^>]*>/gi;
 });
}