#VU35706 Cross-site scripting in tinymce


Published: 2019-07-17 | Updated: 2020-08-08

Vulnerability identifier: #VU35706

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1010091

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tinymce
Web applications / JS libraries

Vendor: tinymce

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tinymce: 5.0.0 - 5.2.1

External links
http://github.com/tinymce/tinymce/issues/4394

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Maximo Asset Management
Cross-site scripting in tinymce