Vulnerabilities > Tinymce
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-05-22 | CVE-2014-3845 | Cross-Site Request Forgery (CSRF) vulnerability in Tinymce Color Picker Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. | 6.8 |
| 2014-05-22 | CVE-2014-3844 | Permissions, Privileges, and Access Controls vulnerability in Tinymce Color Picker The TinyMCE Color Picker plugin before 1.2 for WordPress does not properly check permissions, which allows remote attackers to modify plugin settings via unspecified vectors. | 5.0 |
| 2014-04-25 | CVE-2012-4230 | Permissions, Privileges, and Access Controls vulnerability in Tinymce 3.5.8 The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element. | 4.3 |
| 2013-07-19 | CVE-2012-3414 | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. | 4.3 |
| 2013-07-08 | CVE-2013-2204 | Improper Input Validation vulnerability in multiple products moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character. | 4.3 |
| 2013-01-27 | CVE-2012-6112 | Permissions, Privileges, and Access Controls vulnerability in multiple products classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. | 5.0 |
| 2011-12-15 | CVE-2011-4825 | Code Injection vulnerability in multiple products Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters. | 7.5 |