Cross-site scripting in tinymce - #VU87824

 

Cross-site scripting in tinymce - #VU87824

Published: March 26, 2024


Vulnerability identifier: #VU87824
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: tinymce
Affected software:
tinymce

Detailed vulnerability description

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when working with SVG images. A remote user can load a specially crafted SVG image through Object or Embed elements and execute arbitrary HTML and script code in user's browser in context of vulnerable website.


Remediation

Install updates from vendor's website.

Sources