Vulnerabilities (CVE)

Filtered by vendor Tinymce Subscribe
Total 7 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-3845 2 Tinymce, Wordpress 2 Color Picker, Wordpress 2024-11-21 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third party information.
CVE-2014-3844 2 Tinymce, Wordpress 2 Color Picker, Wordpress 2024-11-21 5.0 MEDIUM N/A
The TinyMCE Color Picker plugin before 1.2 for WordPress does not properly check permissions, which allows remote attackers to modify plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.
CVE-2013-2204 2 Tinymce, Wordpress 2 Media, Wordpress 2024-11-21 4.3 MEDIUM N/A
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.
CVE-2012-6112 2 Moodle, Tinymce 2 Moodle, Spellchecker Php 2024-11-21 5.0 MEDIUM N/A
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.
CVE-2012-4230 1 Tinymce 1 Tinymce 2024-11-21 4.3 MEDIUM N/A
The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.
CVE-2012-3414 3 Swfupload Project, Tinymce, Wordpress 3 Swfupload, Image Manager, Wordpress 2024-11-21 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
CVE-2011-4825 3 Phpletter, Phpmyfaq, Tinymce 3 Ajax File And Image Manager, Phpmyfaq, Tinymce 2024-11-21 7.5 HIGH N/A
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.