TinyMCE Text Editor Flaw Let Attackers Execute XSS payload


Tiny Technologies, the company behind the popular text editor TinyMCE, announced the release of version 5.10.8 on October 19, 2023. 

This new version aims to improve the security of the editor and includes important security patches.

One of the major security problems that were fixed in TinyMCE 5.10.8 was a mutation cross-site scripting (mXSS) vulnerability caused by a specific HTML content manipulation. 

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


This vulnerability, CVE-2023-45818, affected the undo and redo features of the editor. 

A malicious HTML snippet could bypass the editor’s sanitization processes and be stored in the undo stack as a manipulated string. 

When the string was restored from the undo stack, it could trigger an XSS payload due to the combination of manipulation and parsing.

This vulnerability also impacted several TinyMCE APIs and plugins, such as `tinymce.Editor.getContent({ format: ‘raw’ })`, `tinymce.Editor.resetContent()`, and the Autosave open source plugin. 

To address this issue, TinyMCE 5.10.8 has changed how it trims HTML, using node-level manipulation instead of string manipulation, which significantly reduces the risk.

Another security issue involved notification messages containing HTML that were not properly sanitized before being displayed, resulting in a cross-site scripting (XSS) vulnerability. 

This vulnerability, CVE-2023-45819, exploited TinyMCE’s notification system, especially in error-handling scenarios. An attacker could insert malicious content into the editor and trigger a notification. 

When the notification was opened, the HTML within the notification’s text argument was shown without filtering, allowing for arbitrary JavaScript execution. 

This security risk also affected any integration that used TinyMCE notifications to display unfiltered HTML content. 

The update to TinyMCE 5.10.8 now ensures that HTML is sanitized correctly, effectively preventing this exploit.

Both of these vulnerabilities were assigned CVEs and acknowledged by GitHub Advisories. Tiny Technologies thanked the security researchers who discovered these issues.

How to Upgrade to the New Version

Upgrading to TinyMCE 5.10.8 depends on whether users use Tiny Cloud or a self-hosted setup. 

Tiny Cloud offers the latest enterprise version and has its deployment guide. Self-hosted users can upgrade manually by following certain steps, which include backing up their existing setup, downloading the new version, and migrating their customizations as needed.

Tiny Technologies urges all users to update to this new version to benefit from the security improvements and to protect their systems from potential security threats.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.



Source link