dotnet · tinymceCritical
TinyMCE 6.8.x-7.0.x XSS via SVG namespace handling
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing arbitrary JavaScript execution via nes
What changed
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing arbitrary JavaScript execution via nested <svg> elements.
Who it affects
Users of TinyMCE versions 6.8.x through 7.0.x.
What to do today
Upgrade to TinyMCE 7.1.0 or later to fix the vulnerability.
The trail
Collected→
Audited→
Written→
Published