Base Score

MEDIUM6.1

CVE-2024-21910

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.

VectorNETWORK

Published Bydisclosure@vulncheck.com

Published DateJan 03, 2024, 16:15

Affected Versions(4)

tinymce(npm)

Introduced0

Fixed5.10.0

LimitN/A

tinymce/tinymce(Packagist)

Introduced0

Fixed5.10.0

LimitN/A

TinyMCE(NuGet)

Introduced0

Fixed5.10.0

LimitN/A

django-tinymce(PyPI)

Introduced0

Fixed3.4.0

LimitN/A

Package (Ecosystem)	Fixed	Limit
tinymce(npm)	5.10.0	N/A
tinymce/tinymce(Packagist)	5.10.0	N/A
TinyMCE(NuGet)	5.10.0	N/A
django-tinymce(PyPI)	3.4.0	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM6.1

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE