WS-2021-0133 (Medium) detected in tinymce-4.9.11.min.js

[mend-bolt-for-github]

WS-2021-0133 - Medium Severity Vulnerability

Vulnerable Library - tinymce-4.9.11.min.js

TinyMCE rich text editor

Library home page: https://cdnjs.cloudflare.com/ajax/libs/tinymce/4.9.11/tinymce.min.js

Path to vulnerable library: /wp-content/themes/Divi/includes/builder/frontend-builder/assets/vendors/tinymce.min.js

Dependency Hierarchy:

• ❌ tinymce-4.9.11.min.js (Vulnerable Library)

Found in HEAD commit: 928b87c3f458bb28df552e1c49bfeb1231a16bcf

Found in base branch: main

Vulnerability Details

Cross-site scripting vulnerability was found in TinyMCE before 5.7.1. A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor.

Publish Date: 2021-05-28

URL: WS-2021-0133

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5vm8-hhgr-jcjp

Release Date: 2021-05-28

Fix Resolution: tinymce - 5.7.1

---

Step up your Open Source Security Game with Mend here