Skip to content

Commit

Permalink
Adding a couple of TinyMCE vulns
Browse files Browse the repository at this point in the history
  • Loading branch information
@eoftedal
eoftedal committed Apr 2, 2024
1 parent 67f8f76 commit a4d3668
Show file tree
Hide file tree
Showing 3 changed files with 144 additions and 0 deletions.
48 changes: 48 additions & 0 deletions repository/jsrepository-master.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1361,6 +1361,54 @@
"https://tiny.cloud/docs/release-notes/release-notes5109/",
"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
]
},
{
"ranges": [
{
"atOrAbove": "0",
"below": "6.8.1"
}
],
"summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes",
"cwe": ["CWE-79"],
"severity": "medium",
"identifiers": {
"CVE": ["CVE-2024-29203"],
"githubID": "GHSA-438c-3975-5x3f"
},
"info": [
"https://github.com/advisories/GHSA-438c-3975-5x3f",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f",
"https://nvd.nist.gov/vuln/detail/CVE-2024-29203",
"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
"https://github.com/tinymce/tinymce",
"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true"
]
},
{
"ranges": [
{
"atOrAbove": "0",
"below": "7.0.0"
}
],
"summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements",
"cwe": ["CWE-79"],
"severity": "medium",
"identifiers": {
"CVE": ["CVE-2024-29881"],
"githubID": "GHSA-5359-pvf2-pw78"
},
"info": [
"https://github.com/advisories/GHSA-5359-pvf2-pw78",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78",
"https://nvd.nist.gov/vuln/detail/CVE-2024-29881",
"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
"https://github.com/tinymce/tinymce",
"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true"
]
}
],
"extractors": {
Expand Down
48 changes: 48 additions & 0 deletions repository/jsrepository-v2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1663,6 +1663,54 @@
"https://tiny.cloud/docs/release-notes/release-notes5109/",
"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
]
},
{
"atOrAbove": "0",
"below": "6.8.1",
"cwe": [
"CWE-79"
],
"severity": "medium",
"identifiers": {
"summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes",
"CVE": [
"CVE-2024-29203"
],
"githubID": "GHSA-438c-3975-5x3f"
},
"info": [
"https://github.com/advisories/GHSA-438c-3975-5x3f",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f",
"https://nvd.nist.gov/vuln/detail/CVE-2024-29203",
"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
"https://github.com/tinymce/tinymce",
"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true"
]
},
{
"atOrAbove": "0",
"below": "7.0.0",
"cwe": [
"CWE-79"
],
"severity": "medium",
"identifiers": {
"summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements",
"CVE": [
"CVE-2024-29881"
],
"githubID": "GHSA-5359-pvf2-pw78"
},
"info": [
"https://github.com/advisories/GHSA-5359-pvf2-pw78",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78",
"https://nvd.nist.gov/vuln/detail/CVE-2024-29881",
"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
"https://github.com/tinymce/tinymce",
"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true"
]
}
],
"extractors": {
Expand Down
48 changes: 48 additions & 0 deletions repository/jsrepository.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1649,6 +1649,54 @@
"https://tiny.cloud/docs/release-notes/release-notes5109/",
"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
]
},
{
"atOrAbove": "0",
"below": "6.8.1",
"cwe": [
"CWE-79"
],
"severity": "medium",
"identifiers": {
"summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes",
"CVE": [
"CVE-2024-29203"
],
"githubID": "GHSA-438c-3975-5x3f"
},
"info": [
"https://github.com/advisories/GHSA-438c-3975-5x3f",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f",
"https://nvd.nist.gov/vuln/detail/CVE-2024-29203",
"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
"https://github.com/tinymce/tinymce",
"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true"
]
},
{
"atOrAbove": "0",
"below": "7.0.0",
"cwe": [
"CWE-79"
],
"severity": "medium",
"identifiers": {
"summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements",
"CVE": [
"CVE-2024-29881"
],
"githubID": "GHSA-5359-pvf2-pw78"
},
"info": [
"https://github.com/advisories/GHSA-5359-pvf2-pw78",
"https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78",
"https://nvd.nist.gov/vuln/detail/CVE-2024-29881",
"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
"https://github.com/tinymce/tinymce",
"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true"
]
}
],
"extractors": {
Expand Down

0 comments on commit a4d3668

Please sign in to comment.