Cross-site Scripting (XSS) Affecting tinymce package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-TINYMCE-6022880
- published 21 Oct 2023
- disclosed 19 Oct 2023
Introduced: 19 Oct 2023
CVE-2023-45818 Open this link in a new tabHow to fix?
There is no fixed version for Debian:10 tinymce.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tinymce package and not the tinymce package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
- https://security-tracker.debian.org/tracker/CVE-2023-45818
- https://github.com/tinymce/tinymce/security/advisories/GHSA-v65r-p3vv-jjfv
- https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations
- https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes
- https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes
- https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser/