[wp-trac] [WordPress Trac] #49737: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
WordPress Trac
noreply at wordpress.org
Wed Apr 1 00:39:06 UTC 2020
#49737: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of
Input During Web Page Generation. The impact is: JavaScript code execution.
The component is: Media element. The attack vector is: The victim must
paste malicious content to media element's embed tab.
--------------------------------+----------------------
Reporter: tlterry | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: External Libraries | Version:
Severity: critical | Resolution: invalid
Keywords: | Focuses:
--------------------------------+----------------------
Changes (by azaozz):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Again, please do not open security related tickets on trac. See
https://core.trac.wordpress.org/ticket/49735#comment:1.
If I understand this properly the report is for TinyMCE versions 4.7.11
and 4.7.12. But then the root cause points to TinyMCE 4.9.6 which then
points to a file in 4.8.3...
In any case, the `media` plugin is not used in WP to embed user content.
This functionality is disabled. In that terms don't think WP is affected
by this issue, regardless of the TinyMCE version.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49737#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list