The flaw is considered critical, and its
specially designed command into the text editor using the clipboard feature or its
APIs, mentions the bug report published on GitHub.
TinyMCE has become one of the most used tools
libraries and its easy integration into content
management systems (CMS), mentions the expert in digital forensics who
found the flaw. For the affected versions, TinyMCE version 4.9.6 and lower, in
addition to TinyMCE 5.1.3 or lower, are potentially exposed to the exploitation
of the XSS flaw.
In a statement, the developers mentioned that
the problem relates to content that is not properly disinfected before being
uploaded to the editor. For remediation, updated versions of TinyMCE 4 and 5
Users of any of these versions should upgrade
to TinyMCE 4.9.7 and 5.1.4. In addition, it is mentioned that the affected
plugins are the analyzer, the paste function and visualchars.
The security update for this vulnerability is
now available. This fix addresses the problem by using the improved logic of
the parser, in addition to the inclusion of an HTML cleaner, the full technical
details found in the TinyMCE report.
The digital forensics expert who reported the
vulnerability also revealed a workaround that involves disabling affected
plugins and manually disinfecting content using the BeforeSetContent event.
According to the International Institute of
Cyber Security (IICS), millions of san TinyMCE people on a daily basis, in
addition to its plugins favor the operation of almost 40% of all websites in
the world, so it was vital to find a solution for this vulnerability before
threat actors began actively exploiting it in the wild.