Cross-site Scripting (XSS) Affecting tinymce package, versions *


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.2% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN10-TINYMCE-6143544
  • published 4 Jan 2024
  • disclosed 3 Jan 2024

How to fix?

There is no fixed version for Debian:10 tinymce.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tinymce package and not the tinymce package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.

CVSS Scores

version 3.1
Expand this section

NVD

6.1 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None