Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debiancveDebian Security Bug TrackerDEBIANCVE:CVE-2024-38356
HistoryJun 19, 2024 - 8:15 p.m.

CVE-2024-38356

2024-06-1920:15:11
Debian Security Bug Tracker
security-tracker.debian.org
2
tinymce
open source
rich text editor
cross-site scripting
vulnerability

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.8

Confidence

High

EPSS

0

Percentile

15.5%

JSON

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability.

OSVersionArchitecturePackageVersionFilename
Debian10alltinymce<= 3.4.8+dfsg0-2tinymce_3.4.8+dfsg0-2_all.deb

Related

cvelist 1
nvd 1
vulnrichment 1
ubuntucve 1
osv 2
veracode 1
github 1
cve 1
ibm 2
cvelist
cvelist
CVE-2024-38356 TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
2024-06-19 20:03:47
nvd
nvd
CVE-2024-38356
2024-06-19 20:15:11
vulnrichment
vulnrichment
CVE-2024-38356 TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
2024-06-19 20:03:47
ubuntucve
ubuntucve
CVE-2024-38356
2024-06-19 00:00:00
osv
osv
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
2024-06-19 15:07:08
CVE-2024-38356
2024-06-19 20:15:11
veracode
veracode
Cross-Site Scripting (XSS)
2024-06-20 06:28:16
github
github
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
2024-06-19 15:07:08
cve
cve
CVE-2024-38356
2024-06-19 20:15:11
ibm
ibm
Security Bulletin: IBM Maximo Application Suite uses tinymce-6.8.3.tgz which is vulnerable to CVE-2024-38357, CVE-2024-38356
2024-09-19 15:46:08
Security Bulletin: There is a vulnerability in tinymce-6.8.1.min.js used by IBM Maximo Asset Management application (CVE-2024-38357, CVE-2024-38356)
2024-09-06 08:31:49

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.8

Confidence

High

EPSS

0

Percentile

15.5%

JSON
Related for DEBIANCVE:CVE-2024-38356
cvelist1nvd1vulnrichment1ubuntucve1osv2veracode1github1cve1ibm2