tinymce@6.2.0

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that bypasses sanitization and is executed when the content is restored.

Upgrade tinymce to version 7.9.3, 8.5.1 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the media plugin when handling crafted data-mce-* attributes. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious content that is rendered when the affected plugin is enabled. This is only exploitable if the media plugin is enabled.

Upgrade tinymce to version 7.9.3, 8.5.1 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when using the noneditable_regexp option on an element whose content does not match the regex. An attacker can inject malicious scripts into HTML attributes that are executed when extracted from the editor.

Upgrade tinymce to version 6.8.4, 7.2.0 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when parsing noscript elements in the editor. An attacker can bypass sanitization by placing malicious code in noscript elements.

Upgrade tinymce to version 6.8.4, 7.2.0 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via iframe elements inserted into the editor. Attacks are limited by same-origin browser protections, but downloading files is still possible.

Upgrade tinymce to version 7.0.0 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when loading SVG files via object or embed elements.

Upgrade tinymce to version 7.0.0 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via mutation of inner HTML. An attacker can inject malicious scripts that pass the initial sanitization layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Text nodes in some parents are not sufficiently escaped upon serialization and can contain a special character reserved as an internal marker.

Upgrade tinymce to version 5.10.9, 6.7.3 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the core undo and redo functionality. An attacker can exploit this vulnerability by passing a carefully-crafted HTML snippet that bypasses the sanitisation layer, is manipulated as a string by internal trimming functions, and is stored in the undo stack. If the HTML snippet is restored from the undo stack, the reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously.

Upgrade tinymce to version 5.10.8, 6.7.1 or higher.

tinymce is a web-based JavaScript HTML WYSIWYG editor control.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Notification Manager API due to improper input sanitization. An attacker can execute arbitrary JavaScript when a notification is presented in the UI for the current user by inserting carefully crafted malicious content into the editor and triggering a notification.

Upgrade tinymce to version 5.10.8, 6.7.1 or higher.