==================================================================== CERT-Renater Note d'Information No. 2020/VULN457 _____________________________________________________________________ DATE : 19/08/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TinyMCE versions prior to 4.9.11, 5.4.1. ===================================================================== https://github.com/tinymce/tinymce/security/advisories/GHSA-vrv8-v4w8-f95h https://www.tiny.cloud/blog/xss-security-issue-tinys-commitment/ _____________________________________________________________________ Severity moderate Packages tinymce (npm composer nuget) Affected versions >=5.0.0 <5.4.1, <4.9.11 Patched versions 4.9.11, 5.4.1 Impact A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower. Patches This vulnerability has been patched in TinyMCE 4.9.11 and 5.4.1 by improved HTML parsing and sanitization logic. Workarounds The workarounds available are: upgrade to either TinyMCE 4.9.11 or TinyMCE 5.4.1 or enable the media plugin, which overrides the default parsing behaviour for iframes or add the following workaround to update the parsing schema rules for iframes: Example: Change the default schema for iframes setup: function(editor) { editor.on('PreInit', function() { editor.schema.getSpecialElements()['iframe'] = /]*>/gi; }); } Acknowledgements Tiny Technologies would like to thank George Steketee and Chris Davis at Bishop Fox for discovering this vulnerability. References https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes For more information If you have any questions or comments about this advisory: Open an issue in the TinyMCE repo Email us at infosec@tiny.cloud _____________________________________________________________________ XSS security issue - Tiny’s commitment Dylan Just August 12th, 2020 Tiny has released a security update for its open source HTML editor based on a cross-site scripting (XSS) vulnerability discovered by Bishop Fox Labs. What is the security issue? TinyMCE 4 prior to 4.9.11 and TinyMCE 5 prior to 5.4.1 are affected by a vulnerability in their content sanitization logic, which allows an attacker to bypass these built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code. This vulnerability can be mitigated with holistic XSS protections from the application, such as a strict content security policy (CSP), or by updating TinyMCE to version 4.9.11 or 5.4.1. Applying security updates Our users consume TinyMCE through several channels, so the patching process is different for each. Open Source users typically consume TinyMCE via NPM. These users should use their package manager (typically NPM or Yarn) to update the package. Our commercial users consume TinyMCE through our cloud or self-hosted offerings. Cloud users add TinyMCE to their web pages using a script tag with a URL like this one below, filling in MY_API_KEY with their API Key shown in My Account. https://cdn.tiny.cloud/1/MY_API_KEY/tinymce/5/tinymce.min.js Note the "5" in the URL – this denotes the major version of TinyMCE. Any users using this URL will automatically receive the update. Some users may be using "4" or "stable" – these users will receive the security fixes, but we strongly recommend that they switch to "5" to get the latest updates. Self-hosted customers can download updates to TinyMCE through My Account. TinyMCE & security TinyMCE is a web-based rich text editor. It loads HTML content, provides a powerful editing experience, then allows the content to be retrieved, for example, to publish on a web page. It is a component that's integrated into many web-based user interfaces – typically Content Management Systems (CMS) and Learning Management Systems (LMS). When HTML content is loaded into TinyMCE – either by JavaScript calls, pasting content, or other user input – TinyMCE must not execute any scripts contained in this content. The vulnerability listed is of this form – TinyMCE is not correctly sanitizing the content before including it in the browser DOM, and so the embedded script is executed. General recommendations As a JavaScript component, TinyMCE is just one part of the content lifecycle. When a web app extracts content from TinyMCE, we strongly recommend that the content is sanitized server-side before saving or publishing. This is no different to any other input coming from a web page – someone could put a script tag in an input or textarea tag, but it's up to the app itself to make sure the content is safe before publishing or rendering. If the integrating app does this, then this whole class of vulnerability is mitigated. We also recommend the use of a Content Security Policy to further mitigate XSS vectors. Tiny's security response process Security is very important to us and our users, so security issues are given the highest priority of any type of issue at Tiny. Anyone discovering a vulnerability may report it by emailing infosec@tiny.cloud. Tiny customers may also log issues through the Tiny support system. When security issues are reported, our InfoSec team assesses the severity and impact of the issue and decides on a course of action. If the issue requires a change to a product, we consult with the relevant engineering team, and the issue is given top priority. The issue will be addressed in all supported versions, first in any open source versions, then immediately in our commercial versions. Once the issue is fixed in the commercial versions, we issue security alerts. GitHub security reports are great for this, as GitHub is such a well-known system, and it integrates well into many company's patching workflow. Our InfoSec team also holds a quarterly review to discuss all issues raised in the quarter, and to make process improvements going forward. Stay up to date with what's happening at Tiny by following us on Twitter, and don't hesitate to contact us with any questions or feedback at all. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================