#49737 closed defect (bug) (invalid)
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | critical | Version: | |
| Component: | TinyMCE | Keywords: | |
| Focuses: | Cc: |
Description
Hi WordPress,
I am having the following issue. Can you please have a look issue how do we resolve it? Thank you.
DESCRIPTION FROM CVE
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
EXPLANATION
The tinymce package is vulnerable to Cross-Site Scripting (XSS) attacks. The handleEmbed() function in the plugin.js file fails to sanitize input during media element creation. A remote attacker can exploit this vulnerability by enticing a victim into inserting an embedded media element that contains malicious JavaScript. This will result in script execution in the victim's browser context when the media element is created.
DETECTION
The application is vulnerable by using this component.
RECOMMENDATION
There is no non-vulnerable version of this component. We recommend investigating alternative components or potential mitigating control.
ROOT CAUSE
tinymce-4.9.6.tgzMETA-INF/resources/webjars/tinymce/4.8.3/plugins/media/plugin.js( , )
tinymce-4.9.6.tgzMETA-INF/resources/webjars/tinymce/4.8.3/plugins/media/plugin.min.js( , )
Files Path:
plugin.js located at /wp-includes/js/tinymce/plugins/charmap
plugin.min.js located at /wp-includes/js/tinymce/plugins/charmap
plugin.js located at /wp-includes/js/tinymce/plugins/colorpicker
plugin.min.js located at /wp-includes/js/tinymce/plugins/colorpicker
plugin.js located at /wp-includes/js/tinymce/plugins/directionality
plugin.min.js located at /wp-includes/js/tinymce/plugins/directionality
plugin.js located at /wp-includes/js/tinymce/plugins/fullscreen
plugin.min.js located at /wp-includes/js/tinymce/plugins/fullscreen
plugin.js located at /wp-includes/js/tinymce/plugins/hr
plugin.min.js located at /wp-includes/js/tinymce/plugins/hr
plugin.js located at /wp-includes/js/tinymce/plugins/image
plugin.min.js located at /wp-includes/js/tinymce/plugins/image
plugin.js located at /wp-includes/js/tinymce/plugins/link
plugin.min.js located at /wp-includes/js/tinymce/plugins/link
plugin.min.js located at /wp-includes/js/tinymce/plugins/lists
plugin.js located at /wp-includes/js/tinymce/plugins/media
plugin.min.js located at /wp-includes/js/tinymce/plugins/media
plugin.js located at /wp-includes/js/tinymce/plugins/paste
plugin.min.js located at /wp-includes/js/tinymce/plugins/paste
plugin.js located at /wp-includes/js/tinymce/plugins/tabfocus
plugin.min.js located at /wp-includes/js/tinymce/plugins/tabfocus
plugin.js located at /wp-includes/js/tinymce/plugins/textcolor
plugin.min.js located at /wp-includes/js/tinymce/plugins/textcolor
theme.js located at /wp-includes/js/tinymce/themes/inlite
theme.min.js located at /wp-includes/js/tinymce/themes/inlite
theme.js located at /wp-includes/js/tinymce/themes/modern
theme.min.js located at /wp-includes/js/tinymce/themes/modern
tinymce.min.js located at /wp-includes/js/tinymce
Again, please do not open security related tickets on trac. See https://core.trac.wordpress.org/ticket/49735#comment:1.
If I understand this properly the report is for TinyMCE versions 4.7.11 and 4.7.12. But then the root cause points to TinyMCE 4.9.6 which then points to a file in 4.8.3...
In any case, the
mediaplugin is not used in WP to embed user content. This functionality is disabled. In that terms don't think WP is affected by this issue, regardless of the TinyMCE version.