Moderate severityNVD Advisory· Published Mar 26, 2024· Updated Aug 6, 2024
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
CVE-2024-29203
Description
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 6.8.1 | 6.8.1 |
TinyMCENuGet | < 6.8.1 | 6.8.1 |
tinymce/tinymcePackagist | < 6.8.1 | 6.8.1 |
Affected products
4- ghsa-coords3 versions
< 6.8.1+ 2 more
- (no CPE)range: < 6.8.1
- (no CPE)range: < 6.8.1
- (no CPE)range: < 6.8.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-438c-3975-5x3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29203ghsaADVISORY
- github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1ghsax_refsource_MISCWEB
- github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3fghsax_refsource_CONFIRMWEB
- www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/ghsax_refsource_MISCWEB
- www.tiny.cloud/docs/tinymce/7/7.0-release-notes/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.