In the realm of text editors, TinyMCE has long been a popular choice, and on October 19, 2023, Tiny Technologies unveiled a significant update, version 5.10.8, with a primary focus on enhancing security. This latest release brings a host of essential security patches to ensure the protection of user data and the integrity of the editor.
Addressing a Mutation Cross-Site Scripting Vulnerability
One of the most critical security concerns tackled in TinyMCE 5.10.8 was a mutation cross-site scripting (mXSS) vulnerability, officially known as CVE-2023-45818. This vulnerability pertained to the undo and redo features of the editor. It resulted from a specific HTML content manipulation that could compromise the security of the system.
The issue at hand allowed a malicious HTML snippet to bypass the editor’s sanitization processes, finding its way into the undo stack as a manipulated string. When this string was retrieved from the undo stack, it could trigger an XSS payload, resulting from a combination of manipulation and parsing. This vulnerability had implications not only for the core editor but also extended its impact to several TinyMCE APIs and plugins, including tinymce.Editor.getContent({ format: ‘raw’ }), tinymce.Editor.resetContent(), and the Autosave open-source plugin.
To mitigate this risk, TinyMCE 5.10.8 implemented a significant change in how HTML is handled. Instead of relying on string manipulation, the update introduced node-level manipulation. This alteration significantly reduced the risk associated with the mXSS vulnerability, ensuring that user content remains secure.
Tackling Cross-Site Scripting Through Notification Messages
Another notable security issue, identified as CVE-2023-45819, involved the handling of notification messages containing HTML. In previous versions, these messages were not adequately sanitized before being displayed, leading to a cross-site scripting (XSS) vulnerability. This vulnerability was especially problematic in scenarios involving error handling, where attackers could inject malicious content and trigger notifications.
When users opened these notifications, the HTML within the notification’s text argument was displayed without filtering, making it susceptible to arbitrary JavaScript execution. The security risk extended to any integration using TinyMCE notifications to display unfiltered HTML content.
TinyMCE 5.10.8 effectively resolved this issue by ensuring that HTML is sanitized correctly, thereby preventing the exploit and securing the notification system against XSS attacks.
Acknowledgments and CVE Assignments
Both of these critical security issues, the mXSS vulnerability (CVE-2023-45818) and the notification-related XSS vulnerability (CVE-2023-45819), were assigned Common Vulnerabilities and Exposures (CVE) identifiers, adding transparency and clarity to the situation. These vulnerabilities were also duly recognized by GitHub Advisories, highlighting the importance of coordinated efforts in identifying and addressing security concerns.
Tiny Technologies expressed their gratitude towards the diligent security researchers who played a pivotal role in uncovering these issues. Their contribution underscores the significance of the broader community in enhancing the safety and robustness of digital tools.
With TinyMCE version 5.10.8, users can rest assured that their text editing experience is not only feature-rich but also fortified against potential security threats. This update marks another step forward in ensuring the safety and reliability of a beloved text editing solution.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
