CVE-2024-29881
Published: 26 March 2024
Summary
CVE-2024-29881 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Tiny Tinymce. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
TinyMCE, an open source rich text editor, is affected by a cross-site scripting vulnerability in its content loading and content inserting code. An SVG image supplied through an object or embed element can carry an XSS payload that executes in the context of the editor.
An unauthenticated remote attacker can exploit the flaw by causing a victim to load or insert attacker-controlled content into a TinyMCE instance, resulting in limited information disclosure as reflected by the CVSS vector requiring user interaction.
The vulnerability is fixed in TinyMCE 6.8.1 and 7.0.0. The project advisories and release notes introduce the convert_unsafe_embeds editor option, which is enabled by default in version 7 and converts object and embed elements to more restrictive alternatives such as img, video, audio, or iframe based on MIME type.
The associated EPSS score has remained flat at 0.0514 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0820
Vulnerability details
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially…
more
contain a XSS payload. This vulnerability is fixed in 6.8.1 and 7.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.