CVE-2024-38356

Summary

CVE-2024-38356 is a recently identified cross-site scripting (XSS) vulnerability in TinyMCE, a popular open-source rich text editor. The issue lies in TinyMCE's content extraction code, which failed to adequately verify specially crafted HTML attributes containing malicious code when the `noneditable_regexp` option was used. As a result, attackers could execute malicious scripts in the context of the affected website. The vulnerability has been addressed in TinyMCE versions 7.2.0, 6.8.4, and 5.11.0 LTS, which include updates to ensure that content within attributes is properly verified before being added. Users are strongly encouraged to upgrade as soon as possible, as there are no known workarounds for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.