Access Restriction Bypass Affecting tinymce package, versions *
Threat Intelligence
EPSS
0.23% (62nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-TINYMCE-273078
- published 25 Apr 2014
- disclosed 25 Apr 2014
Introduced: 25 Apr 2014
CVE-2012-4230 Open this link in a new tabHow to fix?
There is no fixed version for Debian:10 tinymce.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tinymce package and not the tinymce package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.
References
- https://security-tracker.debian.org/tracker/CVE-2012-4230
- http://osvdb.org/91130
- http://packetstormsecurity.com/files/120750/TinyMCE-3.5.8-Cross-Site-Scripting.html
- http://www.madirish.net/554
- http://seclists.org/fulldisclosure/2013/Mar/114
- http://www.securityfocus.com/bid/58424
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-4230
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82744
CVSS Scores
version 3.1