CVE-2022-23494

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.10.7 TinyMCE versions prior to 6.3.1

Description A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user.

Recommendations To avoid this vulnerability, upgrade to TinyMCE 5.10.7 or higher for TinyMCE 5.x. To avoid this vulnerability, upgrade to TinyMCE 6.3.1 or higher for TinyMCE 6.x. As a temporary workaround, ensure the images upload handler returns a valid value as per the images upload handler documentation.