From 27ba37396ed02697a9855e7169faba55905101eb Mon Sep 17 00:00:00 2001 From: Erlend Oftedal Date: Wed, 26 Jun 2024 10:16:53 +0200 Subject: [PATCH] Adding two more TinyMCE vulns --- repository/jsrepository-master.json | 69 ++++++++++++ repository/jsrepository-v2.json | 159 ++++++++++++++++++++++++++++ repository/jsrepository.json | 159 ++++++++++++++++++++++++++++ 3 files changed, 387 insertions(+) diff --git a/repository/jsrepository-master.json b/repository/jsrepository-master.json index e68f4f4d..1933512e 100644 --- a/repository/jsrepository-master.json +++ b/repository/jsrepository-master.json @@ -1409,6 +1409,75 @@ "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types", "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true" ] + }, + { + "ranges": [ + { + "atOrAbove": "0", + "below": "5.11.0" + }, + { + "atOrAbove": "6.0.0", + "below": "6.8.4" + }, + { + "atOrAbove": "7.0.0", + "below": "7.2.0" + } + ], + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "cwe": ["CWE-79"], + "severity": "medium", + "identifiers": { + "CVE": ["CVE-2024-38357"], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] + }, + { + "ranges": [ + { + "atOrAbove": "0", + "below": "5.11.0" + }, + { + "atOrAbove": "6.0.0", + "below": "6.8.4" + }, + { + "atOrAbove": "7.0.0", + "below": "7.2.0" + } + ], + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "cwe": ["CWE-79"], + "severity": "medium", + "identifiers": { + "CVE": ["CVE-2024-38356"], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] } ], "extractors": { diff --git a/repository/jsrepository-v2.json b/repository/jsrepository-v2.json index 9805191a..98adab5d 100644 --- a/repository/jsrepository-v2.json +++ b/repository/jsrepository-v2.json @@ -1579,6 +1579,59 @@ "https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/" ] }, + { + "atOrAbove": "0", + "below": "5.11.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "CVE": [ + "CVE-2024-38356" + ], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] + }, + { + "atOrAbove": "0", + "below": "5.11.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "CVE": [ + "CVE-2024-38357" + ], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] + }, { "atOrAbove": "6.0.0", "below": "6.3.1", @@ -1686,6 +1739,59 @@ "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true" ] }, + { + "atOrAbove": "6.0.0", + "below": "6.8.4", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "CVE": [ + "CVE-2024-38356" + ], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] + }, + { + "atOrAbove": "6.0.0", + "below": "6.8.4", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "CVE": [ + "CVE-2024-38357" + ], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] + }, { "atOrAbove": "0", "below": "7.0.0", @@ -1709,6 +1815,59 @@ "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types", "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true" ] + }, + { + "atOrAbove": "7.0.0", + "below": "7.2.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "CVE": [ + "CVE-2024-38356" + ], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] + }, + { + "atOrAbove": "7.0.0", + "below": "7.2.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "CVE": [ + "CVE-2024-38357" + ], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] } ], "extractors": { diff --git a/repository/jsrepository.json b/repository/jsrepository.json index 17f6d667..11474d5a 100644 --- a/repository/jsrepository.json +++ b/repository/jsrepository.json @@ -1565,6 +1565,59 @@ "https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/" ] }, + { + "atOrAbove": "0", + "below": "5.11.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "CVE": [ + "CVE-2024-38356" + ], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] + }, + { + "atOrAbove": "0", + "below": "5.11.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "CVE": [ + "CVE-2024-38357" + ], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] + }, { "atOrAbove": "6.0.0", "below": "6.3.1", @@ -1672,6 +1725,59 @@ "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true" ] }, + { + "atOrAbove": "6.0.0", + "below": "6.8.4", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "CVE": [ + "CVE-2024-38356" + ], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] + }, + { + "atOrAbove": "6.0.0", + "below": "6.8.4", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "CVE": [ + "CVE-2024-38357" + ], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] + }, { "atOrAbove": "0", "below": "7.0.0", @@ -1695,6 +1801,59 @@ "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types", "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true" ] + }, + { + "atOrAbove": "7.0.0", + "below": "7.2.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option", + "CVE": [ + "CVE-2024-38356" + ], + "githubID": "GHSA-9hcv-j9pv-qmph" + }, + "info": [ + "https://github.com/advisories/GHSA-9hcv-j9pv-qmph", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38356", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/#overview" + ] + }, + { + "atOrAbove": "7.0.0", + "below": "7.2.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements", + "CVE": [ + "CVE-2024-38357" + ], + "githubID": "GHSA-w9jx-4g6g-rp7x" + }, + "info": [ + "https://github.com/advisories/GHSA-w9jx-4g6g-rp7x", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38357", + "https://github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00d", + "https://github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0", + "https://github.com/tinymce/tinymce", + "https://owasp.org/www-community/attacks/xss", + "https://www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/#overview", + "https://www.tiny.cloud/docs/tinymce/7/7.2-release-notes/#overview" + ] } ], "extractors": {