[wp-trac] [WordPress Trac] #49737: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.

WordPress Trac noreply at wordpress.org
Wed Apr 1 00:39:06 UTC 2020


#49737: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of
Input During Web Page Generation. The impact is: JavaScript code execution.
The component is: Media element. The attack vector is: The victim must
paste malicious content to media element's embed tab.
--------------------------------+----------------------
 Reporter:  tlterry             |       Owner:  (none)
     Type:  defect (bug)        |      Status:  closed
 Priority:  normal              |   Milestone:
Component:  External Libraries  |     Version:
 Severity:  critical            |  Resolution:  invalid
 Keywords:                      |     Focuses:
--------------------------------+----------------------
Changes (by azaozz):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 Again, please do not open security related tickets on trac. See
 https://core.trac.wordpress.org/ticket/49735#comment:1.

 If I understand this properly the report is for TinyMCE versions 4.7.11
 and 4.7.12. But then the root cause points to TinyMCE 4.9.6 which then
 points to a file in 4.8.3...

 In any case, the `media` plugin is not used in WP to embed user content.
 This functionality is disabled. In that terms don't think WP is affected
 by this issue, regardless of the TinyMCE version.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49737#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list