Strix
26.1K

CVE-2023-48219

MEDIUMCVSS 6.1/10EPSS 0.71%

Last modified

CVE-2023-48219 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. EPSS estimates a 0.71% chance of exploitation in the next 30 days.

Description

TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Metrics

CVSS 3.1
6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.71%

49.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
TinyTinymce< 5.10.9
TinyTinymce>= 6.0.0, < 6.7.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-48219?
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
How severe is CVE-2023-48219?
CVE-2023-48219 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.71% probability of exploitation in the next 30 days.
How do I fix CVE-2023-48219?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-48219?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST