CVE-2024-29881

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 6.8.1 TinyMCE versions prior to 7.0.0

Description A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.

Recommendations For versions prior to 6.8.1, a custom NodeFilter is recommended to remove or modify any object or embed elements. This can be added using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs. For versions 6.8.1 and higher, set convert unsafe embeds to true. For any earlier versions, consider temporarily disabling the use of object and embed elements until a patch is available.