CVE-2024-21908
MEDIUMTinyMCE < 5.9.0 - Unauthenticated Stored Cross-Site Scripting
Title source: llmDescription
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
References (4)
Core 4
Core References
Exploit, Third Party Advisory vendor-advisory
https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg
Release Notes related
https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes
Exploit, Third Party Advisory third-party-advisory
https://github.com/advisories/GHSA-5h9g-x5rv-25wg
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-5h9g-x5rv-25wg
Scores
CVSS v3
6.1
EPSS
0.0052
EPSS Percentile
66.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (4)
npm/tinymce
0 - 5.9.0npm
nuget/TinyMCE
0 - 5.9.0NuGet
tiny/tinymce
< 5.9.0
tinymce/tinymce
0 - 5.9.0Packagist
Published
Jan 03, 2024
Tracked Since
Feb 18, 2026