Name of the Vulnerable Software and Affected Versions: TinyMCE version 6

Description: The issue arises from a configuration value convert unsafe embeds set to false, allowing svg files with javascript to be used in <object> or <embed> tags, potentially leading to XSS attacks. Note that <embed> tags are not allowed by default. The vulnerability's impact is considered medium, given how TinyMCE is used within certain contexts.

Recommendations: For TinyMCE version 6, update the configuration value convert unsafe embeds to true to mitigate the risk. Alternatively, consider overriding this configuration if necessary, but be aware that this may introduce security risks. As a temporary workaround, consider restricting the use of <object> tags until the issue is resolved.