CVE-2024-29203

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 6.8.1

Description A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.

Recommendations For versions prior to 6.8.1, update to version 6.8.1 or later to fix the vulnerability. As a temporary workaround, consider configuring the HTTP Content-Security-Policy (CSP) frame-src or object-src to restrict or block the loading of unauthorized URLs. In TinyMCE 7.0.0 and later, the sandbox iframes option is enabled by default, which adds the sandbox="" attribute to every iframe element. To sandbox iframe elements from every domain, set the sandbox iframes exclusions option to [].