SS-2023-001 - XSS vulnerability in underlying TinyMCE library
- Severity:
- Medium (?)
- Identifier:
- SS-2023-001
- Versions Affected:
- silverstripe/admin: ^1.0.0
- Versions Fixed:
- silverstripe/admin: 1.12.7, 1.13.0
- Release Date:
- 2023-04-26
An old version of TinyMCE includes an XSS vulnerability, which was patched in a later version. The vulnerability is described by TinyMCE:
A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.
Base CVSS: 5.4
Reported by: Developers at ACC
References
- GHSA-vrv8-v4w8-f95h
- https://www.mend.io/vulnerability-database/WS-2020-0142
- https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes