js · tinymceCritical
TinyMCE XSS vulnerability via SVG namespace bypass in 6.8.x-7.0.x
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing crafted nested <svg> elements to bypas
What changed
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing crafted nested <svg> elements to bypass attribute sanitization and execute arbitrary JavaScript.
Who it affects
Users of TinyMCE versions 6.8.x through 7.0.x.
What to do today
Upgrade to TinyMCE 7.1.0 or later to fix the vulnerability.
The trail
Collected→
Audited→
Written→
Published