4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29881

GHSA ID

GHSA-5359-pvf2-pw78

EPSS Score

0.41451%

CWE

CWE-79

Published

3/26/2024

Updated

3/26/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29881

CVE-2024-29881: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.

Fix

TinyMCE 6.8.1 introduced a new convert_unsafe_embeds option to automatically convert object and embed elements respective of their type attribute. From TinyMCE 7.0.0 onwards, the convert_unsafe_embeds option is enabled by default.

Workarounds

If you are using TinyMCE 6.8.1 or higher, set convert_unsafe_embeds to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify any object or embed elements. This can be added using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs.

Acknowledgements

Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.

References

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29881

GHSA ID

GHSA-5359-pvf2-pw78

EPSS Score

0.41451%

CWE

CWE-79

Published

3/26/2024

Updated

3/26/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tinymce/tinymce	composer	< 7.0.0	7.0.0
tinymce	npm	< 7.0.0	7.0.0
TinyMCE	nuget	< 7.0.0	7.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from TinyMCE's handling of 'object' and 'embed' elements containing SVG files. The commit diff shows the critical fix was adding a node filter in ParserFilters.ts that converts these elements to safer alternatives based on MIME type. Before this fix (versions <7.0.0), the register function did not include this filter, leaving the parser vulnerable to XSS via unprocessed object/embed elements. The addition of the convert_unsafe_embeds option and associated filtering logic in this function directly addresses the vulnerability, confirming its role in the exploit path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * [*ross-sit* s*riptin* (XSS)](*ttps://ow*sp.or*/www-*ommunity/*tt**ks/xss/) vuln*r**ility w*s *is*ov*r** in TinyM**’s *ont*nt lo**in* *n* *ont*nt ins*rtin* *o**. * SV* im*** *oul* ** lo**** t*ou** *n `o*j**t` or `*m***` *l*m*nt *n* t**t i

Reasoning

T** vuln*r**ility st*ms *rom TinyM**'s **n*lin* o* 'o*j**t' *n* '*m***' *l*m*nts *ont*inin* SV* *il*s. T** *ommit *i** s*ows t** *riti**l *ix w*s ***in* * no** *ilt*r in P*rs*r*ilt*rs.ts t**t *onv*rts t**s* *l*m*nts to s***r *lt*rn*tiv*s **s** on MIM

4.3

Basic Information

Concerned about an active attack path?

CVE-2024-29881: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Impact

Fix

Workarounds

Acknowledgements

References

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI