CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47635 – WordPress TinyPNG plugin <= 3.4.3 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-47635
Cross-Site Request Forgery (CSRF) vulnerability in TinyPNG.This issue affects TinyPNG: from n/a through 3.4.3. The TinyPNG plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on the update_api_key() function and other functions. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/tiny-compress-images/wordpress-tinypng-plugin-3-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-21911 – Cross-site scripting vulnerability in TinyMCE
https://notcve.org/view.php?id=CVE-2024-21911
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. Las versiones de TinyMCE anteriores a la 5.6.0 se ven afectadas por una vulnerabilidad de cross site scripting almacenado. Un atacante remoto y no autenticado podría insertar HTML manipulado en el editor, lo que provocaría la ejecución arbitraria de JavaScript en el navegador de otro usuario. • https://github.com/advisories/GHSA-w7jx-j77m-wp65 https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65 https://vulncheck.com/advisories/vc-advisory-GHSA-w7jx-j77m-wp65 https://www.npmjs.com/package/tinymce https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-21910 – Cross-site scripting vulnerability in TinyMCE plugins
https://notcve.org/view.php?id=CVE-2024-21910
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser. Las versiones de TinyMCE anteriores a la 5.10.0 se ven afectadas por una vulnerabilidad de cross site scripting. Un atacante remoto y no autenticado podría introducir imágenes manipuladas o URL de enlaces que darían como resultado la ejecución de JavaScript arbitrario en el navegador de un usuario que esté editando. • https://github.com/advisories/GHSA-r8hm-w5f7-wj39 https://github.com/jazzband/django-tinymce/issues/366 https://github.com/jazzband/django-tinymce/releases/tag/3.4.0 https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39 https://pypi.org/project/django-tinymce/3.4.0 https://vulncheck.com/advisories/vc-advisory-GHSA-r8hm-w5f7-wj39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-21908 – Cross-site scripting vulnerability in TinyMCE
https://notcve.org/view.php?id=CVE-2024-21908
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. Las versiones de TinyMCE anteriores a la 5.9.0 se ven afectadas por una vulnerabilidad de cross site scripting almacenado. Un atacante remoto y no autenticado podría insertar HTML manipulado en el editor, lo que provocaría la ejecución arbitraria de JavaScript en el navegador de otro usuario. • https://github.com/advisories/GHSA-5h9g-x5rv-25wg https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg https://vulncheck.com/advisories/vc-advisory-GHSA-5h9g-x5rv-25wg https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48219 – Special characters in unescaped text nodes can trigger mXSS in TinyMCE
https://notcve.org/view.php?id=CVE-2023-48219
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. • https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8 https://tiny.cloud/docs/release-notes/release-notes5109 https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •