[GHSA-q742-qvgc-gc2f] TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes#8483
Conversation
|
Hi there @MitchC1999! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
👋 version 5.11.1 isn't available to open source, it's only available for commercial licenses and is not published on the respective registry |
|
The problem is that the way the data is structured it results in incorrect ranges of vulnerable versions. Tools like https://github.com/google/osv-scanner now will mark all versions of tinymce as vulnerable. The reason is that there are multiple ranges listed, and one of them is simply this: If there is no explicit end to the range, it will have an implicit There are multiple ways out:
Either solution is fine by me, the first one is already used in other places. I can make a new PR for it. |
|
👋 @sbrinkhorst thank you for the explanation! I understand what you mean, and will adjust it to |
Updates
Comments
If no patched version is listed, the resulting range will be
> 0. This marks all versions of the library as vulnerable in various automated tooling.