Connect with us

Hi, what are you looking for?

Latest

Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCE

Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCE

 

A probably severe cross-site scripting (XSS) vulnerability affecting the TinyMCE wealthy textual content editor could be exploited — relying on the implementation — for privilege escalation, acquiring data, or account takeover.

Developed by Tiny Applied sciences, TinyMCE is marketed as essentially the most superior WYSIWYG HTML editor designed to simplify web site content material creation. In response to Tiny, the editor has been downloaded 350 million occasions per 12 months and it’s included in additional than 100 million web sites. TinyMCE is offered without spending a dime as open supply, however Tiny additionally supplies paid plans that embrace premium plugins, assist and deployment companies.

Researchers at Bishop Fox found in April that TinyMCE is affected by an XSS vulnerability whose impression is determined by the appliance utilizing the editor. The difficulty, tracked as CVE-2020-12648, impacts model 5.2.1 and earlier, and it was patched in July with the discharge of variations 4.9.11 and 5.4.1.

Profitable exploitation can permit an attacker to escalate privileges, acquire data, and even hijack the focused consumer’s account.

Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCE

“Relying on the location during which tinyMCE is used, an attacker may exploit this as both saved or mirrored (utilizing a crafted hyperlink) XSS. I’ve seen each circumstances,” George Seketee, senior safety advisor at Bishop Fox and one of many folks credited for locating the flaw, instructed SecurityWeek.

He defined, “The precise particulars of exploitation range with implementation, however usually an attacker must get tinyMCE to interpret the crafted string. This may very well be on preliminary web page load, or through the use of another portion of the location’s performance. At a low degree, if tinyMCE’s setContent() or insertContent() capabilities have been known as with a crafted payload, the XSS would set off. TinyMCE indicated that the vulnerability was of their ‘core parser’, which can point out there have been different methods to set off this vulnerability.”

Chris Davis, a Bishop Fox safety advisor who has additionally been credited for reporting the vulnerability, added, “Because of the nature of XSS this can generally lead to privilege escalation and can be utilized to pressure arbitrary actions on a consumer’s behalf unbeknownst to the consumer.”

Dylan Simply, data safety lead at Tiny, mentioned that along with patching the flaw in TinyMCE variations 5.4.1 and 4.9.11, they’ve recognized workarounds, that are described within the firm’s personal advisory.

“We encourage all customers to improve to TinyMCE 5.4.1, as TinyMCE Four will attain end-of-life in December 2020. Clients utilizing the “/5” channel of our cloud-hosted TinyMCE will obtain the replace routinely,” Simply instructed SecurityWeek.

“TinyMCE is a web-based wealthy textual content editor, and the problem pertains to content material not being appropriately sanitized earlier than being loaded into the editor. We have now launched fixes for TinyMCE Four and 5, however we suggest that each one customers improve to the newest TinyMCE 5. Additional to this, we suggest that customers sanitize content material server-side, and add an appropriate Content material Safety Coverage to their web sites,” he defined.

Simply says safety is “extraordinarily necessary” to the corporate and it has suggested anybody who has found a vulnerability to report it through electronic mail at infosec(at)tiny.cloud.

Associated: Unpatched Flaw in Discontinued Plugin Exposes WordPress Websites to Assaults

Associated: Crucial Flaw in web optimization Plugin Uncovered Many WordPress Websites to Assaults

Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCE
Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCE
Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCE

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in pc methods utilized in electrical engineering.

Earlier Columns by Eduard Kovacs:
Potentially serious vulnerability has been identified in popular WYSIWYG editor TinyMCETags:

You May Also Like

Hosting

The latest round of MITRE ATT&CK evaluations proved yet again that Microsoft customers can trust they are fully protected even in the face of...

Hosting

On Thursday, April 23rd, 2020, Canonical Ltd, the makers of Ubuntu Linux distribution officially released the long-awaited Ubuntu 20.04 version code-named “Focal Fossa”, it...

Hosting

As the robot process automation (RPA) market becomes more and more dynamic, more and more companies are trying to integrate RPA into their business...

Latest

Virtual Machine Manager is one of the best hypervisors available for the Linux desktop. This is well-designed and well-functioning QEMU/KVM virtualization software that takes...