Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13cW04LWp4OHItOHJjcc4AAy-r
Cross-site scripting vulnerabilities in old version of bundled TinyMCE
An old version of TinyMCE include an XSS vulnerability, which was patched in a later version. This was described by TinyMCE:
A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.
Reported by: Developers at ACC
Permalink: https://github.com/advisories/GHSA-wqm8-jx8r-8rcqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cW04LWp4OHItOHJjcc4AAy-r
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-wqm8-jx8r-8rcq
References:
- https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-wqm8-jx8r-8rcq
- https://github.com/advisories/GHSA-vrv8-v4w8-f95h
- https://www.silverstripe.org/download/security-releases/ss-2023-001
- https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/SS-2023-001.yaml
- https://github.com/advisories/GHSA-wqm8-jx8r-8rcq
Blast Radius: 14.8
Affected Packages
packagist:silverstripe/admin
Dependent packages: 169Dependent repositories: 550
Downloads: 1,668,836 total
Affected Version Ranges: < 1.12.7
Fixed in: 1.12.7
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6
All unaffected versions: 1.12.7, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.13.11, 1.13.12, 1.13.13, 1.13.14, 1.13.15, 1.13.16, 1.13.17, 1.13.18, 1.13.19, 1.13.20, 1.13.21, 1.13.22, 1.13.23, 1.13.24, 1.13.25, 1.13.26, 1.13.27, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.2.0, 2.2.1