js · tinymceCritical
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments bypasses sanitization and injects scripts on content restore.
What changed
Stored XSS vulnerability via forged mce:protected comments bypasses sanitization and injects scripts on content restore.
Who it affects
Users who utilize the protect option in TinyMCE.
What to do today
Upgrade to TinyMCE 8.5.1+, 7.9.3+, or 5.11.1 LTS+.
The trail
Collected→
Audited→
Written→
Published