org.webjars:tinymce@5.0.9 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars:tinymce package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-Site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) via iframe elements inserted into the editor. Attacks are limited by same-origin browser protections, but downloading files is still possible.

How to fix Cross-Site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when loading SVG files via object or embed elements.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via mutation of inner HTML. An attacker can inject malicious scripts that pass the initial sanitization layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Text nodes in some parents are not sufficiently escaped upon serialization and can contain a special character reserved as an internal marker.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars:tinymce to version 5.10.7, 6.3.1 or higher.

[,5.10.7) [6.0.0,6.3.1)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via URLs which are not cleaned correctly in the link and image plugins.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a piece of crafted content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor. NOTE: the vulnerability could only be triggered when the content was previewed or rendered outside of the editor.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A vulnerability exists within the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • C
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • M
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the media plugin.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)
  • H
Cross-site Scripting (XSS)

org.webjars:tinymce is a WebJar for TinyMCE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the core parser, paste and visualchars plugins. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars:tinymce.

[0,)