Cross-site Scripting (XSS) Affecting tinymce package, versions *
Threat Intelligence
EPSS
0.39% (74th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-TINYMCE-6143545
- published 4 Jan 2024
- disclosed 3 Jan 2024
Introduced: 3 Jan 2024
CVE-2024-21910 Open this link in a new tabHow to fix?
There is no fixed version for Debian:10 tinymce.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tinymce package and not the tinymce package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
References
- https://security-tracker.debian.org/tracker/CVE-2024-21910
- https://github.com/advisories/GHSA-r8hm-w5f7-wj39
- https://github.com/jazzband/django-tinymce/issues/366
- https://github.com/jazzband/django-tinymce/releases/tag/3.4.0
- https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39
- https://pypi.org/project/django-tinymce/3.4.0/
- https://vulncheck.com/advisories/vc-advisory-GHSA-r8hm-w5f7-wj39
CVSS Scores
version 3.1