Skip to content

Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881

Moderate severity GitHub Reviewed Published Apr 24, 2024 in pimcore/pimcore • Updated Apr 24, 2024

Package

composer pimcore/pimcore (Composer)

Affected versions

>= 11.0.0-ALPHA1, < 11.2.3

Patched versions

11.2.3

Description

Impact

The TineMCE Bundle uses tinymce version 6.7.3. CVEs for this version exists for <6.8.1:
https://nvd.nist.gov/vuln/detail/CVE-2024-29203
https://nvd.nist.gov/vuln/detail/CVE-2024-29881

Patches

The package should be updated to at least 6.8.1 to avoid XSS vulnerability.

Workarounds

Upgrade pimcore to release 11.2.3.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-29203
https://nvd.nist.gov/vuln/detail/CVE-2024-29881

References

@wisconaut wisconaut published to pimcore/pimcore Apr 24, 2024
Published to the GitHub Advisory Database Apr 24, 2024
Reviewed Apr 24, 2024
Last updated Apr 24, 2024

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-vjwg-28gv-pm8h

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.