[wp-trac] [WordPress Trac] #49737: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.

WordPress Trac noreply at wordpress.org
Tue Mar 31 09:01:33 UTC 2020 

#49737: tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of
Input During Web Page Generation. The impact is: JavaScript code execution.
The component is: Media element. The attack vector is: The victim must
paste malicious content to media element's embed tab.
--------------------------------+-----------------------------
 Reporter:  tlterry             |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  External Libraries  |    Version:
 Severity:  critical            |   Keywords:
  Focuses:                      |
--------------------------------+-----------------------------
 Hi WordPress,

 I am having the following issue. Can you please have a look issue how do
 we resolve it? Thank you.

 **DESCRIPTION FROM CVE**
 tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of
 Input During Web Page Generation. The impact is: JavaScript code
 execution. The component is: Media element. The attack vector is: The
 victim must paste malicious content to media element's embed tab.

 **EXPLANATION**
 The tinymce package is vulnerable to Cross-Site Scripting (XSS) attacks.
 The handleEmbed() function in the plugin.js file fails to sanitize input
 during media element creation. A remote attacker can exploit this
 vulnerability by enticing a victim into inserting an embedded media
 element that contains malicious JavaScript. This will result in script
 execution in the victim's browser context when the media element is
 created.

 **DETECTION**
 The application is vulnerable by using this component.

 **RECOMMENDATION**
 There is no non-vulnerable version of this component. We recommend
 investigating alternative components or potential mitigating control.

 **ROOT CAUSE**
 tinymce-4.9.6.tgzMETA-
 INF/resources/webjars/tinymce/4.8.3/plugins/media/plugin.js( , )
 tinymce-4.9.6.tgzMETA-
 INF/resources/webjars/tinymce/4.8.3/plugins/media/plugin.min.js( , )

 ---------------------------------------------------------------------------------------------------------

 **Files Path:**
 plugin.js located at /wp-includes/js/tinymce/plugins/charmap
 plugin.min.js located at /wp-includes/js/tinymce/plugins/charmap
 plugin.js located at /wp-includes/js/tinymce/plugins/colorpicker
 plugin.min.js located at /wp-includes/js/tinymce/plugins/colorpicker
 plugin.js located at /wp-includes/js/tinymce/plugins/directionality
 plugin.min.js located at /wp-includes/js/tinymce/plugins/directionality
 plugin.js located at /wp-includes/js/tinymce/plugins/fullscreen
 plugin.min.js located at /wp-includes/js/tinymce/plugins/fullscreen
 plugin.js located at /wp-includes/js/tinymce/plugins/hr
 plugin.min.js located at /wp-includes/js/tinymce/plugins/hr
 plugin.js located at /wp-includes/js/tinymce/plugins/image
 plugin.min.js located at /wp-includes/js/tinymce/plugins/image
 plugin.js located at /wp-includes/js/tinymce/plugins/link
 plugin.min.js located at /wp-includes/js/tinymce/plugins/link
 plugin.min.js located at /wp-includes/js/tinymce/plugins/lists
 plugin.js located at /wp-includes/js/tinymce/plugins/media
 plugin.min.js located at /wp-includes/js/tinymce/plugins/media
 plugin.js located at /wp-includes/js/tinymce/plugins/paste
 plugin.min.js located at /wp-includes/js/tinymce/plugins/paste
 plugin.js located at /wp-includes/js/tinymce/plugins/tabfocus
 plugin.min.js located at /wp-includes/js/tinymce/plugins/tabfocus
 plugin.js located at /wp-includes/js/tinymce/plugins/textcolor
 plugin.min.js located at /wp-includes/js/tinymce/plugins/textcolor
 theme.js located at /wp-includes/js/tinymce/themes/inlite
 theme.min.js located at /wp-includes/js/tinymce/themes/inlite
 theme.js located at /wp-includes/js/tinymce/themes/modern
 theme.min.js located at /wp-includes/js/tinymce/themes/modern
 tinymce.min.js located at /wp-includes/js/tinymce

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49737>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list