CVE-2023-45819

Cross-site Scripting vulnerability in TinyMCE notificationManager.open API

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered. When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit. Users are advised to upgrade. There are no known workarounds for this vulnerability.

TinyMCE es un editor de texto enriquecido de código abierto. Se descubrió una vulnerabilidad de Cross-Site Scripting (XSS) en la API del Administrador de notificaciones de TinyMCE. La vulnerabilidad explota el sistema de notificación sin filtrar de TinyMCE, que se utiliza en el manejo de errores. Las condiciones para este exploit requieren que se haya insertado contenido malicioso cuidadosamente manipulado en el editor y que se haya activado una notificación. Cuando se abrió una notificación, el HTML dentro del argumento de texto se mostró sin filtrar en la notificación. La vulnerabilidad permitía la ejecución arbitraria de JavaScript cuando se presentaba una notificación en la interfaz de usuario de TinyMCE para el usuario actual. Este problema también podría ser aprovechado por cualquier integración que utilice una notificación TinyMCE para mostrar contenido HTML sin filtrar. Esta vulnerabilidad se ha solucionado en TinyMCE 5.10.8 y TinyMCE 6.7.1 garantizando que el HTML que se muestra en la notificación esté sanitizado, lo que evita el exploit. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

CVSS Scores

NISTv3.1 6.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-13 CVE Reserved
2023-10-19 CVE Published
2024-09-12 CVE Updated
2024-10-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38	2023-10-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tiny Search vendor "Tiny"		Tinymce Search vendor "Tiny" for product "Tinymce"				< 5.10.8 Search vendor "Tiny" for product "Tinymce" and version " < 5.10.8"		-		Affected
Tiny Search vendor "Tiny"		Tinymce Search vendor "Tiny" for product "Tinymce"				>= 6.0.0 < 6.7.1 Search vendor "Tiny" for product "Tinymce" and version " >= 6.0.0 < 6.7.1"		-		Affected