Security News > 2020 > August > Potentially Serious Vulnerability Found in Popular WYSIWYG Editor TinyMCE
A potentially serious cross-site scripting vulnerability affecting the TinyMCE rich text editor can be exploited - depending on the implementation - for privilege escalation, obtaining information, or account takeover.
Researchers at Bishop Fox discovered in April that TinyMCE is affected by an XSS vulnerability whose impact depends on the application using the editor.
He explained, "The exact details of exploitation vary with implementation, but generally an attacker needs to get tinyMCE to interpret the crafted string. This could be on initial page load, or by using some other portion of the site's functionality. At a low level, if tinyMCE's setContent() or insertContent() functions were called with a crafted payload, the XSS would trigger. TinyMCE indicated that the vulnerability was in their 'core parser', which may indicate there were other ways to trigger this vulnerability."
"We encourage all users to upgrade to TinyMCE 5.4.1, as TinyMCE 4 will reach end-of-life in December 2020. Customers using the"/5" channel of our cloud-hosted TinyMCE will receive the update automatically," Just told SecurityWeek.
"TinyMCE is a web-based rich text editor, and the issue relates to content not being correctly sanitized before being loaded into the editor. We have released fixes for TinyMCE 4 and 5, but we recommend that all users upgrade to the latest TinyMCE 5. Further to this, we recommend that users sanitize content server-side, and add a suitable Content Security Policy to their websites," he explained.