6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-38356

CVE-2024-38356: TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 7.2.0 or higher.
Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

References

For more information

If you have any questions or comments about this advisory:

Email us at infosec@tiny.cloud
Open an issue in the TinyMCE repo

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-38356

CVE-2024-38356:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tinymce	npm	< 5.11.0	5.11.0
TinyMCE	nuget	< 5.11.0	5.11.0
tinymce/tinymce	composer	< 5.11.0	5.11.0
tinymce	npm	>= 6.0.0, < 6.8.4	6.8.4
tinymce	npm	>= 7.0.0, < 7.2.0	7.2.0
TinyMCE	nuget	>= 6.0.0, < 6.8.4	6.8.4
TinyMCE	nuget	>= 7.0.0, < 7.2.0	7.2.0
tinymce/tinymce	composer	>= 6.0.0, < 6.8.4	6.8.4
tinymce/tinymce	composer	>= 7.0.0, < 7.2.0	7.2.0
django-tinymce	pip	<= 4.0.0	4.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from inadequate regex validation when restoring non-editable content from 'data-mce-content' attributes. The pre-patch code in NonEditableFilter.ts's setup function directly converted nodes to text content without verifying if the content matched the configured regular expressions. The commit added an 'isValidContent' check that ensures full regex match before processing, and removes nodes that don't comply. This directly addresses the XSS vector described in CVE-2024-38356.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-38356: TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Impact

Patches

Fix

References

For more information

CVE-2024-38356:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2024-38356: TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Impact

Patches

Fix

References

For more information

6.1

6.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI