CVE-2024-38357

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

No configuration.

History

21 Nov 2024, 09:25

Type Values Removed Values Added
References () https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d - () https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d -
References () https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x - () https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x -
References () https://owasp.org/www-community/attacks/xss - () https://owasp.org/www-community/attacks/xss -
References () https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview - () https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview -
References () https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview - () https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview -

20 Jun 2024, 12:43

Type Values Removed Values Added
Summary
  • (es) TinyMCE es un editor de texto enriquecido de código abierto. Se descubrió una vulnerabilidad de cross-site scripting (XSS) en el código de análisis de contenido de TinyMCE. Esto permitió que se ejecutaran elementos noscript especialmente manipulados que contenían código malicioso cuando ese contenido se cargaba en el editor. Esta vulnerabilidad se ha solucionado en TinyMCE 7.2.0, TinyMCE 6.8.4 y TinyMCE 5.11.0 LTS garantizando que el contenido dentro de los elementos noscript se analice correctamente. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

19 Jun 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-19 20:15

Updated : 2024-11-21 09:25


NVD link : CVE-2024-38357

Mitre link : CVE-2024-38357

CVE.ORG link : CVE-2024-38357


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')