Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2024-29203.md

Created June 9, 2026 16:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/bdf9529c95cfcca7fc47d2945f8e9599 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/bdf9529c95cfcca7fc47d2945f8e9599 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-29203: CVE-2024-29203: Client-Side Cross-Site Scripting via Unsandboxed Iframes and Legacy Embed Elements in TinyMCE - CVE Security Report
Raw
CVE-2024-29203.md

CVE-2024-29203: CVE-2024-29203: Client-Side Cross-Site Scripting via Unsandboxed Iframes and Legacy Embed Elements in TinyMCE

CVSS Score: 4.3 Published: 2024-03-26 Full Report: https://cvereports.com/reports/CVE-2024-29203

Summary

CVE-2024-29203 identifies a cross-site scripting (XSS) vulnerability in the content ingestion and parsing mechanics of TinyMCE rich text editor. Due to a failure to enforce sandbox attributes on dynamic iframe elements and safely handle legacy embed objects, unauthenticated attackers can inject malicious elements that execute scripts within the context of the parent application session.

TL;DR

TinyMCE versions prior to 6.8.1 failed to sandbox pasted/inserted iframes or convert risky object and embed tags, allowing attackers to execute arbitrary scripts in the application context via client-side payloads.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-79 (Improper Neutralization of Input During Web Page Generation)
  • Attack Vector: Network
  • CVSS v3.1 Score: 4.3 (Medium Severity)
  • EPSS Score: 0.01605 (Percentile: 82.11%)
  • Exploit Status: PoC / Code-level understanding available
  • CISA KEV Status: Not Listed
  • Ransomware Association: No

Affected Systems

  • TinyMCE Rich Text Editor
  • TinyMCE: < 6.8.1 (Fixed in: 6.8.1)
  • TinyMCE: >= 6.8.2, < 7.0.0 (Fixed in: 7.0.0)

Mitigation

  • Upgrade TinyMCE to version 6.8.1 or newer.
  • Explicitly configure sandbox_iframes: true in TinyMCE 6.x initializers.
  • Explicitly configure convert_unsafe_embeds: true in TinyMCE 6.x initializers.
  • Upgrade to TinyMCE 7.x for secure-by-default behavior.

Remediation Steps:

  1. Identify all web application components utilizing the TinyMCE editor interface.
  2. Update package configurations to load TinyMCE version 6.8.1 (or higher) or version 7.0.0 (or higher).
  3. Modify the initialization call tinymce.init() to include sandbox_iframes: true and convert_unsafe_embeds: true for 6.x installations.
  4. Validate the change by copying and pasting an iframe and an object tag into the editor, then inspecting the parsed output schema to ensure attributes match expectations.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment