{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38357", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-14T14:16:16.464Z", "datePublished": "2024-06-19T20:03:49.806Z", "dateUpdated": "2024-08-02T04:04:25.258Z"}, "containers": {"cna": {"title": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x"}, {"name": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", "tags": ["x_refsource_MISC"], "url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d"}, {"name": "https://owasp.org/www-community/attacks/xss", "tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/attacks/xss"}, {"name": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", "tags": ["x_refsource_MISC"], "url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview"}, {"name": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", "tags": ["x_refsource_MISC"], "url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview"}], "affected": [{"vendor": "tinymce", "product": "tinymce", "versions": [{"version": "< 5.11.0", "status": "affected"}, {"version": ">= 6.0.0, <6.8.4", "status": "affected"}, {"version": ">= 7.0.0, < 7.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T20:03:49.806Z"}, "descriptions": [{"lang": "en", "value": "TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE\u2019s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}], "source": {"advisory": "GHSA-w9jx-4g6g-rp7x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-20T13:07:53.926006Z", "id": "CVE-2024-38357", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T13:08:03.369Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:25.258Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x"}, {"name": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d"}, {"name": "https://owasp.org/www-community/attacks/xss", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://owasp.org/www-community/attacks/xss"}, {"name": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview"}, {"name": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-20T13:07:53.926006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T13:07:59.295Z"}}], "cna": {"title": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", "source": {"advisory": "GHSA-w9jx-4g6g-rp7x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "tinymce", "product": "tinymce", "versions": [{"status": "affected", "version": "< 5.11.0"}, {"status": "affected", "version": ">= 6.0.0, <6.8.4"}, {"status": "affected", "version": ">= 7.0.0, < 7.2.0"}]}], "references": [{"url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", "name": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", "name": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", "tags": ["x_refsource_MISC"]}, {"url": "https://owasp.org/www-community/attacks/xss", "name": "https://owasp.org/www-community/attacks/xss", "tags": ["x_refsource_MISC"]}, {"url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", "name": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", "tags": ["x_refsource_MISC"]}, {"url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", "name": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE\u2019s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-19T20:03:49.806Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38357", "state": "PUBLISHED", "dateUpdated": "2024-06-20T13:08:03.369Z", "dateReserved": "2024-06-14T14:16:16.464Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-19T20:03:49.806Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE\u2019s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "TinyMCE es un editor de texto enriquecido de c\u00f3digo abierto. Se descubri\u00f3 una vulnerabilidad de cross-site scripting (XSS) en el c\u00f3digo de an\u00e1lisis de contenido de TinyMCE. Esto permiti\u00f3 que se ejecutaran elementos noscript especialmente manipulados que conten\u00edan c\u00f3digo malicioso cuando ese contenido se cargaba en el editor. Esta vulnerabilidad se ha solucionado en TinyMCE 7.2.0, TinyMCE 6.8.4 y TinyMCE 5.11.0 LTS garantizando que el contenido dentro de los elementos noscript se analice correctamente. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-38357", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-19T20:15:11.727", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d"}, {"source": "security-advisories@github.com", "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x"}, {"source": "security-advisories@github.com", "url": "https://owasp.org/www-community/attacks/xss"}, {"source": "security-advisories@github.com", "url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview"}, {"source": "security-advisories@github.com", "url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://owasp.org/www-community/attacks/xss"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-13T11:13:59.120136+00:00", "updated": "2025-07-13T11:13:59.120187+00:00", "vendors": ["tinymce", "tinymce$PRODUCT$tinymce"]}