Miggo Logo

CVE-2020-12648: Cross-site scripting vulnerability in TinyMCE

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.17602%
Published
8/11/2020
Updated
5/22/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tinymcenpm< 4.9.114.9.11
tinymcenpm>= 5.0.0, < 5.4.15.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) Missing 'iframe' in the schema's special elements list (Schema.ts), which controls whether element content is parsed as text or DOM nodes. Without this, malicious iframe content wasn't sanitized. 2) Incorrect whitespace element handling in parser filters (ParserFilters.ts), which affected parsing context validation. The commit explicitly addresses both by adding 'iframe' to special elements and correcting the schema method call, as shown in the test cases validating XSS prevention.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *ross-sit* s*riptin* (XSS) vuln*r**ility w*s *is*ov*r** in t** *or* p*rs*r. T** vuln*r**ility *llow** *r*itr*ry J*v*S*ript *x**ution w**n ins*rtin* * sp**i*lly *r**t** pi*** o* *ont*nt into t** **itor vi* t** *lip*o*r* or *PIs. T*is imp*

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) Missin* 'i*r*m*' in t** s***m*'s sp**i*l *l*m*nts list (`S***m*.ts`), w*i** *ontrols w**t**r *l*m*nt *ont*nt is p*rs** *s t*xt or *OM no**s. Wit*out t*is, m*li*ious i*r*m* *ont*nt w*sn't s*nitiz**. *)