CVE-2024-29203: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
References
- github.com/advisories/GHSA-438c-3975-5x3f
- github.com/tinymce/tinymce
- github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
- github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f
- nvd.nist.gov/vuln/detail/CVE-2024-29203
- www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/
- www.tiny.cloud/docs/tinymce/7/7.0-release-notes/
Code Behaviors & Features
Detect and mitigate CVE-2024-29203 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →