CVE-2024-21910
MEDIUMTinyMCE < 5.10.0 - Unauthenticated Stored Cross-Site Scripting via Crafted Image or Link URLs
Title source: llmDescription
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
References (6)
Core 6
Core References
Third Party Advisory vendor-advisory
https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39
Issue Tracking, Third Party Advisory issue-tracking
https://github.com/jazzband/django-tinymce/issues/366
Release Notes related
https://github.com/jazzband/django-tinymce/releases/tag/3.4.0
Release Notes related
https://pypi.org/project/django-tinymce/3.4.0/
Exploit, Third Party Advisory third-party-advisory
https://github.com/advisories/GHSA-r8hm-w5f7-wj39
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-r8hm-w5f7-wj39
Scores
CVSS v3
6.1
EPSS
0.0408
EPSS Percentile
88.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (5)
npm/tinymce
0 - 5.10.0npm
nuget/TinyMCE
0 - 5.10.0NuGet
pypi/django-tinymce
0 - 3.4.0PyPI
tiny/tinymce
< 5.10.0
tinymce/tinymce
0 - 5.10.0Packagist
Published
Jan 03, 2024
Tracked Since
Feb 18, 2026