GHSA-9hcv-j9pv-qmph: TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

June 19, 2024

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.

References

github.com/advisories/GHSA-9hcv-j9pv-qmph
github.com/tinymce/tinymce
github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph
www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/
www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/

Code Behaviors & Features

Detect and mitigate GHSA-9hcv-j9pv-qmph with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →