CVE-2024-21908
Cross-site scripting vulnerability in TinyMCE
Description
### Impact A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.9.0 or higher - Manually sanitize the content using the `BeforeSetContent` event (see below) #### Example: Manually sanitize content ```js editor.on('BeforeSetContent', function(e) { var sanitizedContent = ...; // Manually sanitize content here e.content = sanitizedContent; }); ``` ### Acknowledgements Tiny Technologies would like to thank William Bowling for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes ### For more information If you have any questions or comments about this advisory: * Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud) * Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)
How to fix CVE-2024-21908
To remediate CVE-2024-21908, upgrade the affected package to a fixed version below.
- —upgrade to 5.9.0 or later
- —upgrade to 5.9.0 or later
- —upgrade to 5.9.0 or later
Is CVE-2024-21908 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.