CVE-2024-29203: CVE-2024-29203: Client-Side Cross-Site Scripting via Unsandboxed Iframes and Legacy Embed Elements in TinyMCE

CVE-2024-29203: Client-Side Cross-Site Scripting via Unsandboxed Iframes and Legacy Embed Elements in TinyMCE

Vulnerability ID: CVE-2024-29203
CVSS Score: 4.3
Published: 2024-03-26

CVE-2024-29203 identifies a cross-site scripting (XSS) vulnerability in the content ingestion and parsing mechanics of TinyMCE rich text editor. Due to a failure to enforce sandbox attributes on dynamic iframe elements and safely handle legacy embed objects, unauthenticated attackers can inject malicious elements that execute scripts within the context of the parent application session.

TL;DR

TinyMCE versions prior to 6.8.1 failed to sandbox pasted/inserted iframes or convert risky object and embed tags, allowing attackers to execute arbitrary scripts in the application context via client-side payloads.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79 (Improper Neutralization of Input During Web Page Generation)
• Attack Vector: Network
• CVSS v3.1 Score: 4.3 (Medium Severity)
• EPSS Score: 0.01605 (Percentile: 82.11%)
• Exploit Status: PoC / Code-level understanding available
• CISA KEV Status: Not Listed
• Ransomware Association: No

Affected Systems

• TinyMCE Rich Text Editor
• TinyMCE: < 6.8.1 (Fixed in: 6.8.1)
• TinyMCE: >= 6.8.2, < 7.0.0 (Fixed in: 7.0.0)

Code Analysis

Commit: bcdea2a

Introduce sandbox_iframes and convert_unsafe_embeds settings to sanitize risky iframes, object, and embed elements.

Mitigation Strategies

• Upgrade TinyMCE to version 6.8.1 or newer.
• Explicitly configure sandbox_iframes: true in TinyMCE 6.x initializers.
• Explicitly configure convert_unsafe_embeds: true in TinyMCE 6.x initializers.
• Upgrade to TinyMCE 7.x for secure-by-default behavior.

Remediation Steps:

1. Identify all web application components utilizing the TinyMCE editor interface.
2. Update package configurations to load TinyMCE version 6.8.1 (or higher) or version 7.0.0 (or higher).
3. Modify the initialization call tinymce.init() to include sandbox_iframes: true and convert_unsafe_embeds: true for 6.x installations.
4. Validate the change by copying and pasting an iframe and an object tag into the editor, then inspecting the parsed output schema to ensure attributes match expectations.

References

• NVD CVE-2024-29203 Detail
• CVE.org Authority Record
• GitHub Security Advisory GHSA-438c-3975-5x3f
• Fix Commit in GitHub Repository
• TinyMCE 6.8.1 Release Notes
• TinyMCE 7.0 Release Notes

---

Read the full report for CVE-2024-29203 on our website for more details including interactive diagrams and full exploit analysis.