CVE-2024-21911
MEDIUMTinyMCE < 5.6.0 - Unauthenticated Stored Cross-Site Scripting
Title source: llmDescription
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
References (5)
Core 5
Core References
Exploit, Third Party Advisory vendor-advisory
https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65
Release Notes related
https://www.npmjs.com/package/tinymce
Release Notes related
https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
Exploit, Third Party Advisory third-party-advisory
https://github.com/advisories/GHSA-w7jx-j77m-wp65
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-w7jx-j77m-wp65
Scores
CVSS v3
6.1
EPSS
0.0145
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (4)
npm/tinymce
0 - 5.6.0npm
nuget/TinyMCE
0 - 5.6.0NuGet
tiny/tinymce
< 5.6.0
tinymce/tinymce
0 - 5.6.0Packagist
Published
Jan 03, 2024
Tracked Since
Feb 18, 2026