Cross-site scripting in tinymce - #VU131914

 

Cross-site scripting in tinymce - #VU131914

Published: May 27, 2021 / Updated: May 20, 2026


Vulnerability identifier: #VU131914
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: tinymce
Affected software:
tinymce

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript.

The vulnerability exists due to improper neutralization of input during web page generation in the core parser for form elements when processing specially crafted content inserted through the clipboard or APIs and later rendering or previewing the content outside of the editor. A remote attacker can insert specially crafted content to execute arbitrary JavaScript.

The issue can only be triggered when the content is previewed or rendered outside of the editor, because forms cannot be submitted while editing.


Remediation

Install security update from vendor's website.

Sources