CVE-2024-38356: TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
(updated )
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.
References
- github.com/advisories/GHSA-9hcv-j9pv-qmph
- github.com/tinymce/tinymce
- github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d
- github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0
- github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph
- nvd.nist.gov/vuln/detail/CVE-2024-38356
- owasp.org/www-community/attacks/xss
- www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/
- www.tiny.cloud/docs/tinymce/7/7.2-release-notes/
- www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/
Code Behaviors & Features
Detect and mitigate CVE-2024-38356 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →