High-Severity TinyMCE Cross-Site Scripting Flaw Fixed

2020-08-13 12:34

Researchers found a built-in cross-site scripting flaw in TinyMCE, due to content not being correctly sanitized before being loaded into the editor.

George Steketee, Senior Security Consultant with Bishop Fox, told Threatpost that in a real-world attack a web forum may utilize TinyMCE to provide an interface for creation of formatted text.

Researchers urge TinyMCE users to ensure that they are updated - particularly if they do not implement additional XSS protections such as a strict content security policy.

The flaw exists in version 5.2.0 and earlier of the TinyMCE application.

"We have released fixes for TinyMCE 4 and 5, but we recommend that all users upgrade to the latest TinyMCE 5. Further to this, we recommend that users sanitize content server-side, and add a suitable Content Security Policy to their websites."

News URL

https://threatpost.com/high-severity-tinymce-cross-site-scripting-flaw-fixed/158306/