TinyMCE, the WYSIWYG editor affected by XSS vulnerability. 100 million affected websites

Specialists from an information security training course report the finding of a critical vulnerability in version 5.2.1 of TinyMCE, the popular What-You-See-Is-What-You-Get (WYSIWYG) text editor for open source HTML that works in JavaScript. Although this is a tool present on millions of websites around the world, the impact of this vulnerability cannot be specifically defined, as it depends on multiple factors such as the use of different editing modes, control over the initial content within the editor and protections against some attack variants.

Tracked as CVE-2020-12648, the flaw was reported by Chris Davis and George Steketee, of security firm Bishop Fox Labs.

According to the report, applications that use the TinyMCE text editor and do not implement cross-site scripting (XSS) protections may be especially exposed to this vulnerability. Successful exploitation of this flaw would allow the extraction of confidential information, privilege escalation attacks, commitment of administrator accounts, among other risks.

The flaw lies in TinyMCE’s removal and disinfection processes, as hackers can circumvent some protections to deploy an XSS attack and execute arbitrary JavaScript code (this code runs in the context of the application where TinyMCE is loaded.

By implementing classic editing mode, the removal and disinfection logic in TinyMCE can be omitted using nested and unconsumed HTML tags, which would allow actors to inject threats <img>with arbitrary src and onerror values, resulting in the XSS attack, as the information security training specialists mentioned.

To demonstrate the vulnerability, the researchers created an HTML page with an instance of the TinyMCE editor based on TinyMCE’s official Quick Start Guide. The result is shown below:

<!DOCTYPE html>
<html lang="en">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/5/tinymce.min.js" referrerpolicy="origin"></script>
      mode: "textareas"
 <h1>TinyMCE Quick Start Guide</h1>
  <form method="post">
    <textarea name="mytextarea" index="mytextarea">
          <?php echo htmlspecialchars($_POST['mytextarea']) ?>
    <input type="submit" value="submit">

This example used PHP to provide user-controlled content to TinyMCE for processing when loading the page. The payload could also be supplied directly through two other TinyMCE functions (setContent and insertContent). The XSS attack is successfully achieved by using the following payload:

<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

An example request used to achieve this is shown below:

POST /tinymce.php HTTP/1.1
Host: localhost:8000
…omitted for brevity…

mytextarea=<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

After the page was loaded, the payload runs:

La imagen tiene un atributo ALT vacío; su nombre de archivo es tinymce17082020.jpg

In this way, information security training specialists demonstrate that the risk of actual exploitation, so they recommend that administrators of affected deployments update as soon as possible. The latest versions of the application are 4.9.11 and 5.4.1, released on July 8, 2020.