CVE-2024-21911

Name of the Vulnerable Software and Affected Versions: TinyMCE versions prior to 5.6.0

Description: A stored cross-site scripting vulnerability was discovered in the URL sanitization logic of the core parser, allowing arbitrary JavaScript execution when inserting specially crafted content into the editor. This impacts all users using TinyMCE 5.5.1 or lower. An unauthenticated and remote attacker could insert crafted HTML into the editor, resulting in arbitrary JavaScript execution in another user's browser.

Recommendations: To resolve the issue, upgrade to TinyMCE 5.6.0 or higher. As a temporary workaround, manually sanitize iframe, object, and embed URL attributes using a TinyMCE node filter. Alternatively, disable iframe, object, and embed elements in your content using the invalid elements setting.