Skip to main content

Tinymce CVE-2012-4230

MEDIUM
Permissions, Privileges, and Access Controls (CWE-264)
2014-04-25 cve@mitre.org
4.3
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:N/I:P/A:N
Attack Vector
Network
Attack Complexity
M
Confidentiality
None
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 25, 2014 - 14:15 cve.org
MEDIUM 4.3

DescriptionCVE.org

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.

AnalysisAI

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-264. The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element. Affected products include: Tinymce.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-21911 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6

CVE-2024-21910 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), t

CVE-2024-21908 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6

CVE-2020-17480 MEDIUM POC
6.1 Aug 10

TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by

CVE-2019-1010091 MEDIUM POC
6.1 Jul 17

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. Rated medium

CVE-2026-47762 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript b

CVE-2026-47761 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via

CVE-2026-47759 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated

CVE-2026-47760 HIGH
8.7 May 28

Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated user

CVE-2024-29881 MEDIUM
6.1 Mar 26

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

CVE-2024-29203 MEDIUM
6.1 Mar 26

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

CVE-2023-48219 MEDIUM
6.1 Nov 15

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

Share

CVE-2012-4230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy