Skip to content

[GHSA-q742-qvgc-gc2f] TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes#8483

Closed
sbrinkhorst wants to merge 1 commit into
sbrinkhorst/advisory-improvement-8483from
sbrinkhorst-GHSA-q742-qvgc-gc2f
Closed

[GHSA-q742-qvgc-gc2f] TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes#8483
sbrinkhorst wants to merge 1 commit into
sbrinkhorst/advisory-improvement-8483from
sbrinkhorst-GHSA-q742-qvgc-gc2f

Conversation

@sbrinkhorst

Copy link
Copy Markdown

Updates

  • Affected products

Comments
If no patched version is listed, the resulting range will be> 0. This marks all versions of the library as vulnerable in various automated tooling.

@github

github commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Hi there @MitchC1999! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions Bot changed the base branch from main to sbrinkhorst/advisory-improvement-8483 July 3, 2026 08:56
@advisory-database advisory-database Bot closed this Jul 6, 2026
@github-actions github-actions Bot deleted the sbrinkhorst-GHSA-q742-qvgc-gc2f branch July 6, 2026 16:34
@taladrane

Copy link
Copy Markdown
Collaborator

👋 version 5.11.1 isn't available to open source, it's only available for commercial licenses and is not published on the respective registry

@sbrinkhorst

Copy link
Copy Markdown
Author

The problem is that the way the data is structured it results in incorrect ranges of vulnerable versions. Tools like https://github.com/google/osv-scanner now will mark all versions of tinymce as vulnerable. The reason is that there are multiple ranges listed, and one of them is simply this:

"events": [
            {
              "introduced": "0"
            }
          ]

If there is no explicit end to the range, it will have an implicit "limit": "*" to end it. The resulting range is simply all versions larger than 0. A human can see that it is intended only for the versions up to 5.x, because there is a separate range for the 6.x, but there basically is no reliable way for automated processes to determine that.

There are multiple ways out:

  • The JSON schema also has the type last_affected for range event, so we can add the event "last_affected": "5.10.9" because that is the last opensource version and we know it is affected. This means that users of the 5.11.0 closed source version will get a false negative (assuming that this version exists and is vulnerable, which is likely). This is the choice that has been made for similar vulnerabilities: https://osv.dev/vulnerability/GHSA-vg35-5wq7-3x7w
  • The range >= 6.0.0, < 7.9.3 is also vulnerable, and in the open source versions there is nothing between 5.10.9 and 6.0.0. So we can also make a single range events lists to express >0, <7.9.3. The consequence is that users of the closed source fixed version 5.11.1 will get a false positive.

Either solution is fine by me, the first one is already used in other places. I can make a new PR for it.

@taladrane

Copy link
Copy Markdown
Collaborator

👋 @sbrinkhorst thank you for the explanation! I understand what you mean, and will adjust it to 5.10.9 to better reflect that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants