PT-2021-24386 · Tinymce · Tinymce

Published

2021-05-28

·

Updated

2021-05-28

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions: TinyMCE versions 5.7.0 and lower
Description: A cross-site scripting (XSS) issue was found in the URL sanitization logic of the core parser for form elements. This allowed arbitrary JavaScript execution when inserting specially crafted content into the editor using the clipboard or APIs, and then submitting the form. However, since TinyMCE does not allow forms to be submitted while editing, the issue could only be triggered when the content was previewed or rendered outside of the editor.
Recommendations:
  • Upgrade to TinyMCE 5.7.1 or higher
  • Manually sanitize form URL attributes using a TinyMCE node filter
  • Disable form elements in your content using the invalid elements setting, for example by setting invalid elements: 'form'
  • As a temporary workaround, consider adding a node filter to the editor parser to sanitize form element attributes, such as editor.parser.addNodeFilter('form', function(nodes) {...}) to sanitize the attribute values.

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-5VM8-HHGR-JCJP

Affected Products

Tinymce