New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site Scripting (XSS) issue in media element #4394
Comments
|
I think you are here maybe wrong. Yes, that can be a issue, but not must and have nothing to do with the editor itself, so I think.
|
|
@Daijobou: I am aware that my PoC described Self-XSS. If you are not recognising it as a vulnerability, I recommend you to watch this movie - "Self XSS we’re not so different you and I" https://www.youtube.com/watch?v=l3yThCIF7e4. As long as tinymce is performing changes on user's input like input sanitisation then is responsible for action performed by sanitisation mechanisms and generated in result HTML code. |
|
Hi, Do you know if this was fixed? MITRE also mentions that the vector involves manually copy/pasting the payload, which means this is little different than copy/pasting JavaScript directly in the browser console. |
|
@Beuc: Below I put my way of reproducing it at https://codepen.io/tinymce/pen/NGegZK. It can be noticed that version 4.9.6 is still prone to what I described more than a year ago. I would also like to mention that the codepen used during tests is a TinyMCE Cloud demo - full featured example. |
|
Hi, When I add the code injection to the I can reproduce the issue when adding Thanks |
|
This issue has been fixed in TinyMCE 5.2.2 and TinyMCE 4.9.10, which have now been released to the community. Thanks for letting us know about this issue and we're really sorry it wasn't picked up until recently. If you have any further issues, please let us know. |

I would like to request a security bug
What is the current behavior?
Tinymce is prone to inappropriate validation of user input in process of media element creation. Below I described PoC which shows a way to execute arbitrary JavaScript code - self XSS.
Steps to reproduce: (It can be tested at: https://codepen.io/tinymce/pen/NGegZK or http://fiddle.tinymce.com/, however this vulnerability behaves slightly different between those sites)
Click Insert > Media
Type "a" in source and change active tab to embed

4. Create media elementWhat is the expected behavior?
After few JavaScript executions (1-5 times) media element becomes properly sanitised.
Moreover: After XSS executes, any try of editing malicious media element makes editor unresponsive for the user.
Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE?
Affected version: at least 4.7.11, 4.7.12
Tested Browsers: Chrome, Firefox
OS: macOS High Sierra
The text was updated successfully, but these errors were encountered: