XSS Vulnerability Discovered In TinyMCE HTML Text Editor

A serious vulnerability existed in TinyMCE HTML text editor. Exploiting the vulnerability could result in arbitrary code execution.

TinyMCE Vulnerability Discovered

Reportedly, the TinyMCE HTML text editor had a serious vulnerability threatening numerous websites. This open-source text editor is in use by various Content Management Systems (CMS) such as WordPress and Joomla!.

Sharing the details in an advisory, the vendors revealed that a cross-site scripting (XSS) vulnerability affected TinyMCE. It’s a high severity vulnerability (CVE-2020-12648) that, upon exploitation, could lead to arbitrary code execution.

As explained in the advisory,

TinyMCE is affected by a vulnerability in its stripping and sanitization logic, which allows an attacker to bypass these built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code. The code was executed within the context of the application that loaded TinyMCE.

Consequently, potential impacts following exploitation of the bug included information disclosure, elevation of privilege, or complete account takeover.

Technical details about this bug are available in the advisory.

Patch Released

The vulnerability caught the attention of security researchers George Steketee and Chris Davis. As observed the vulnerability affected the TinyMCE editor version 5.2.1 as well as 4.0.26.

Following the reports, the vendors worked to develop a fix that they eventually released with versions 4.9.11 and 5.4.1.

TinyMCE is a WYSIWYG HTML editor and JavaScript library. It empowers thousands of websites as it runs on numerous CMS.

Nonetheless, not every website running the vulnerable TinyMCE editor versions are at risk. The vendors have explained that the impact of the bug and subsequent exploitation depends on multiple factors.

TinyMCE is in use on thousands of websites, but the risk and impact of this vulnerability on those sites depend on the details of the application in which TinyMCE is used. The use of “classic” editing mode, existing XSS protections, and whether users can control the initial content inside the editor all affect the exploitability of this vulnerability.

However, since the patches are out, everyone must ensure updating to the latest patched versions at the earliest.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients