CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe
elements containing malicious code to execute when inserted into the editor. These iframe
elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
TinyMCE 6.8.1 introduced a new sandbox_iframes
boolean option which adds the sandbox=""
attribute to every iframe
element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe
elements. From TinyMCE 7.0.0 onwards the default value of this option is true
.
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions
option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox=""
attribute applied when the sandbox_iframes
option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe
elements from every domain, set this option to []
.
The HTTP Content-Security-Policy (CSP) frame-src
or object-src
can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.
github.com/tinymce/tinymce
github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f
nvd.nist.gov/vuln/detail/CVE-2024-29203
www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%