PT-2020-15020 · Tinymce · Tinymce
Michał Bentkowski
·
Published
2020-01-30
·
Updated
2021-05-06
·
CVE-2020-17480
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TinyMCE versions 4.9.6 and earlier
TinyMCE versions 5.1.3 and earlier
Description
A cross-site scripting (XSS) issue was discovered in the core parser,
paste and visualchars plugins, allowing arbitrary JavaScript execution when inserting specially crafted content into the editor via the clipboard or APIs.Recommendations
For TinyMCE versions 4.9.6 and earlier, upgrade to TinyMCE 4.9.7.
For TinyMCE versions 5.1.3 and earlier, upgrade to TinyMCE 5.1.4.
As a temporary workaround, consider disabling the impacted plugins.
Manually sanitize the content using the
BeforeSetContent event.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tinymce