CVE-2024-38357

2024-06-2000:00:00

ubuntu.com

tinymce

xss

vulnerability

content parsing

patched

version 7.2.0

version 6.8.4

version 5.11.0 lts

upgrade

noscript elements

malicious code

open source

rich text editor

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

TinyMCE is an open source rich text editor. A cross-site scripting (XSS)
vulnerability was discovered in TinyMCE’s content parsing code. This
allowed specially crafted noscript elements containing malicious code to be
executed when that content was loaded into the editor. This vulnerability
has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by
ensuring that content within noscript elements are properly parsed. Users
are advised to upgrade. There are no known workarounds for this
vulnerability.

Notes

Author	Note
rodrigo-zaiden	roundcube includes tinymce source

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchroundcube< anyUNKNOWN
ubuntu20.04noarchroundcube< anyUNKNOWN
ubuntu22.04noarchroundcube< anyUNKNOWN
ubuntu23.10noarchroundcube< anyUNKNOWN
ubuntu24.04noarchroundcube< anyUNKNOWN
ubuntu16.04noarchroundcube< anyUNKNOWN
ubuntu18.04noarchtinymce< anyUNKNOWN
ubuntu20.04noarchtinymce< anyUNKNOWN
ubuntu16.04noarchtinymce< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	roundcube	< any	UNKNOWN
ubuntu	20.04	noarch	roundcube	< any	UNKNOWN
ubuntu	22.04	noarch	roundcube	< any	UNKNOWN
ubuntu	23.10	noarch	roundcube	< any	UNKNOWN
ubuntu	24.04	noarch	roundcube	< any	UNKNOWN
ubuntu	16.04	noarch	roundcube	< any	UNKNOWN
ubuntu	18.04	noarch	tinymce	< any	UNKNOWN
ubuntu	20.04	noarch	tinymce	< any	UNKNOWN
ubuntu	16.04	noarch	tinymce	< any	UNKNOWN