4.3

CVSS Score

Basic Information

CVE ID

CVE-2024-29203

GHSA ID

GHSA-438c-3975-5x3f

EPSS Score

CWE

CWE-79

Published

3/26/2024

Updated

3/26/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29203

CVE-2024-29203:
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.

Fix

TinyMCE 6.8.1 introduced a new sandbox_iframes boolean option which adds the sandbox="" attribute to every iframe element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe elements. From TinyMCE 7.0.0 onwards the default value of this option is true.

In TinyMCE 7.0.0 a new sandbox_iframes_exclusions option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox="" attribute applied when the sandbox_iframes option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe elements from every domain, set this option to [].

Workarounds

The HTTP Content-Security-Policy (CSP) frame-src or object-src can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.

References

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2024-29203

GHSA ID

GHSA-438c-3975-5x3f

EPSS Score

CWE

CWE-79

Published

3/26/2024

Updated

3/26/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tinymce	npm	< 6.8.1	6.8.1
TinyMCE	nuget	< 6.8.1	6.8.1
tinymce/tinymce	composer	< 6.8.1	6.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper sanitization of iframe elements during content insertion. Key indicators are:

The commit adds new sandbox_iframes handling in ParserFilters.ts, indicating previous absence of this protection
Test cases show unpatched versions didn't add sandbox attributes to iframes
The patch introduces node filters that explicitly add sandbox attributes, implying prior vulnerability in these processing paths
Paste handling was modified to include sandbox_iframes checks, showing pasted content was previously vulnerable These functions directly handle content parsing and insertion without the security measures introduced in the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * [*ross-sit* s*riptin* (XSS)](*ttps://ow*sp.or*/www-*ommunity/*tt**ks/xss/) vuln*r**ility w*s *is*ov*r** in TinyM**’s *ont*nt ins*rtion *o**. T*is *llow** `i*r*m*` *l*m*nts *ont*inin* m*li*ious *o** to *x**ut* w**n ins*rt** into t** **it

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* i*r*m* *l*m*nts *urin* *ont*nt ins*rtion. K*y in*i**tors *r*: *. T** *ommit ***s n*w s*n**ox_i*r*m*s **n*lin* in P*rs*r*ilt*rs.ts, in*i**tin* pr*vious **s*n** o* t*is prot**tion *. T*st **s*s s*ow

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-29203: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

Impact

Fix

Workarounds

References

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-29203:
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

Vulnerability Intelligence
Miggo AI