Critical XSS vulnerability found at TinyMCE

A couple of days ago, a digital forensics researcher reported the discovery of a cross-site scripting (XSS) vulnerability that affects three plugins from the TinyMCE open source text editor.

The flaw is considered critical, and its exploitation would allow arbitrary execution of JavaScript by inserting a specially designed command into the text editor using the clipboard feature or its APIs, mentions the bug report published on GitHub.

TinyMCE has become one of the most used tools by developers worldwide, thanks to its wide compatibility with JavaScript libraries and its easy integration into content management systems (CMS), mentions the expert in digital forensics who found the flaw. For the affected versions, TinyMCE version 4.9.6 and lower, in addition to TinyMCE 5.1.3 or lower, are potentially exposed to the exploitation of the XSS flaw.

In a statement, the developers mentioned that the problem relates to content that is not properly disinfected before being uploaded to the editor. For remediation, updated versions of TinyMCE 4 and 5 were released. 

Users of any of these versions should upgrade to TinyMCE 4.9.7 and 5.1.4. In addition, it is mentioned that the affected plugins are the analyzer, the paste function and visualchars.

The security update for this vulnerability is now available. This fix addresses the problem by using the improved logic of the parser, in addition to the inclusion of an HTML cleaner, the full technical details found in the TinyMCE report.

The digital forensics expert who reported the vulnerability also revealed a workaround that involves disabling affected plugins and manually disinfecting content using the BeforeSetContent event.

According to the International Institute of Cyber Security (IICS), millions of san TinyMCE people on a daily basis, in addition to its plugins favor the operation of almost 40% of all websites in the world, so it was vital to find a solution for this vulnerability before threat actors began actively exploiting it in the wild.