NuGet package
tinymce
pkg:nuget/tinymce
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-38357 | Med | 6.1 | < 5.11.0 | 5.11.0 | Jun 19, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vu | |
| CVE-2024-38356 | Med | 6.1 | < 5.11.0 | 5.11.0 | Jun 19, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when conten | |
| CVE-2024-29881 | — | < 7.0.0 | 7.0.0 | Mar 26, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload | ||
| CVE-2024-29203 | — | < 6.8.1 | 6.8.1 | Mar 26, 2024 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted i | ||
| CVE-2024-21911 | — | < 5.6.0 | 5.6.0 | Jan 3, 2024 | TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||
| CVE-2024-21910 | — | < 5.10.0 | 5.10.0 | Jan 3, 2024 | TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser. | ||
| CVE-2024-21908 | — | < 5.9.0 | 5.9.0 | Jan 3, 2024 | TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | ||
| CVE-2023-48219 | — | < 5.10.9 | 5.10.9 | Nov 15, 2023 | TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standa | ||
| CVE-2023-45818 | — | >= 6.0.0, < 6.7.1 | 6.7.1 | Oct 19, 2023 | TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimmi | ||
| CVE-2023-45819 | — | >= 6.0.0, < 6.7.1 | 6.7.1 | Oct 19, 2023 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requi | ||
| CVE-2022-23494 | — | >= 6.0.0, < 6.3.1 | 6.3.1 | Dec 8, 2022 | tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `im |
- affected < 5.11.0fixed 5.11.0
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vu
- affected < 5.11.0fixed 5.11.0
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when conten
- CVE-2024-29881Mar 26, 2024affected < 7.0.0fixed 7.0.0
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload
- CVE-2024-29203Mar 26, 2024affected < 6.8.1fixed 6.8.1
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted i
- CVE-2024-21911Jan 3, 2024affected < 5.6.0fixed 5.6.0
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
- CVE-2024-21910Jan 3, 2024affected < 5.10.0fixed 5.10.0
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
- CVE-2024-21908Jan 3, 2024affected < 5.9.0fixed 5.9.0
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
- CVE-2023-48219Nov 15, 2023affected < 5.10.9fixed 5.10.9
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standa
- CVE-2023-45818Oct 19, 2023affected >= 6.0.0, < 6.7.1fixed 6.7.1
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimmi
- CVE-2023-45819Oct 19, 2023affected >= 6.0.0, < 6.7.1fixed 6.7.1
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requi
- CVE-2022-23494Dec 8, 2022affected >= 6.0.0, < 6.3.1fixed 6.3.1
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `im