npm package
tinymce
pkg:npm/tinymce
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-38357 | Med | 6.1 | < 5.11.0 | 5.11.0 | Jun 19, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vu | |
| CVE-2024-38356 | Med | 6.1 | < 5.11.0 | 5.11.0 | Jun 19, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when conten | |
| CVE-2024-29881 | — | < 7.0.0 | 7.0.0 | Mar 26, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload | ||
| CVE-2024-29203 | — | < 6.8.1 | 6.8.1 | Mar 26, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted i | ||
| CVE-2024-21911 | — | < 5.6.0 | 5.6.0 | Jan 3, 2024 | TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||
| CVE-2024-21910 | — | < 5.10.0 | 5.10.0 | Jan 3, 2024 | TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser. | ||
| CVE-2024-21908 | — | < 5.9.0 | 5.9.0 | Jan 3, 2024 | TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||
| CVE-2023-48219 | — | < 5.10.9 | 5.10.9 | Nov 15, 2023 | TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standa | ||
| CVE-2023-45818 | — | >= 6.0.0, < 6.7.1 | 6.7.1 | Oct 19, 2023 | TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimmi | ||
| CVE-2023-45819 | — | >= 6.0.0, < 6.7.1 | 6.7.1 | Oct 19, 2023 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requi | ||
| CVE-2022-23494 | — | >= 6.0.0, < 6.3.1 | 6.3.1 | Dec 8, 2022 | tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `im | ||
| CVE-2020-12648 | — | < 4.9.11 | 4.9.11 | Aug 14, 2020 | A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode. | ||
| CVE-2020-17480 | — | < 4.9.7 | 4.9.7 | Aug 10, 2020 | TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor. | ||
| CVE-2019-1010091 | — | < 4.9.10 | 4.9.10 | Jul 17, 2019 | tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab. |
- affected < 5.11.0fixed 5.11.0
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vu
- affected < 5.11.0fixed 5.11.0
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when conten
- CVE-2024-29881Mar 26, 2024affected < 7.0.0fixed 7.0.0
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload
- CVE-2024-29203Mar 26, 2024affected < 6.8.1fixed 6.8.1
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted i
- CVE-2024-21911Jan 3, 2024affected < 5.6.0fixed 5.6.0
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
- CVE-2024-21910Jan 3, 2024affected < 5.10.0fixed 5.10.0
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
- CVE-2024-21908Jan 3, 2024affected < 5.9.0fixed 5.9.0
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
- CVE-2023-48219Nov 15, 2023affected < 5.10.9fixed 5.10.9
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standa
- CVE-2023-45818Oct 19, 2023affected >= 6.0.0, < 6.7.1fixed 6.7.1
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimmi
- CVE-2023-45819Oct 19, 2023affected >= 6.0.0, < 6.7.1fixed 6.7.1
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requi
- CVE-2022-23494Dec 8, 2022affected >= 6.0.0, < 6.3.1fixed 6.3.1
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `im
- CVE-2020-12648Aug 14, 2020affected < 4.9.11fixed 4.9.11
A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlier allows remote attackers to inject arbitrary web script when configured in classic editing mode.
- CVE-2020-17480Aug 10, 2020affected < 4.9.7fixed 4.9.7
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
- CVE-2019-1010091Jul 17, 2019affected < 4.9.10fixed 4.9.10
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.