CVE-2024-21908

Name of the Vulnerable Software and Affected Versions: TinyMCE versions prior to 5.9.0

Description: A stored cross-site scripting vulnerability affects TinyMCE, allowing an unauthenticated and remote attacker to insert crafted HTML into the editor. This results in arbitrary JavaScript execution in another user's browser. The vulnerability is due to a flaw in the schema validation logic of the core parser, which can be exploited when inserting specially crafted content into the editor using the clipboard or editor APIs.

Recommendations: To resolve the issue, upgrade to TinyMCE 5.9.0 or higher. Alternatively, manually sanitize the content using the BeforeSetContent event. For example, use the following code to sanitize content:

editor.on('BeforeSetContent', function(e) {
 var sanitizedContent = ...; // Manually sanitize content here
 e.content = sanitizedContent;
});