Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-38357

Good to know:

icon
icon

Date: June 19, 2024

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: PHP

Severity Score

Related Resources (10)

https://owasp.org/www-community/attacks/xss
https://security-tracker.debian.org/tracker/CVE-2024-38357
https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x
https://github.com/tinymce/tinymce
https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview
https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview
https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d
https://nvd.nist.gov/vuln/detail/CVE-2024-38357
https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0
https://www.mend.io/vulnerability-database/CVE-2024-38357

Severity Score

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version TinyMCE - 5.11.0,6.8.4,7.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us