Tinymce
Monthly
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.