{"vulnerability": "CVE-2024-29203", "sightings": [{"uuid": "5d0f34da-1b70-49bd-9534-d0e55a8355c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-29203", "type": "seen", "source": "https://gist.github.com/alon710/bdf9529c95cfcca7fc47d2945f8e9599", "content": "# CVE-2024-29203: CVE-2024-29203: Client-Side Cross-Site Scripting via Unsandboxed Iframes and Legacy Embed Elements in TinyMCE\n\n> **CVSS Score:** 4.3\n> **Published:** 2024-03-26\n> **Full Report:** https://cvereports.com/reports/CVE-2024-29203\n\n## Summary\nCVE-2024-29203 identifies a cross-site scripting (XSS) vulnerability in the content ingestion and parsing mechanics of TinyMCE rich text editor. Due to a failure to enforce sandbox attributes on dynamic iframe elements and safely handle legacy embed objects, unauthenticated attackers can inject malicious elements that execute scripts within the context of the parent application session.\n\n## TL;DR\nTinyMCE versions prior to 6.8.1 failed to sandbox pasted/inserted iframes or convert risky object and embed tags, allowing attackers to execute arbitrary scripts in the application context via client-side payloads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79 (Improper Neutralization of Input During Web Page Generation)\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 4.3 (Medium Severity)\n- **EPSS Score**: 0.01605 (Percentile: 82.11%)\n- **Exploit Status**: PoC / Code-level understanding available\n- **CISA KEV Status**: Not Listed\n- **Ransomware Association**: No\n\n## Affected Systems\n\n- TinyMCE Rich Text Editor\n- **TinyMCE**: < 6.8.1 (Fixed in: `6.8.1`)\n- **TinyMCE**: >= 6.8.2, < 7.0.0 (Fixed in: `7.0.0`)\n\n## Mitigation\n\n- Upgrade TinyMCE to version 6.8.1 or newer.\n- Explicitly configure sandbox_iframes: true in TinyMCE 6.x initializers.\n- Explicitly configure convert_unsafe_embeds: true in TinyMCE 6.x initializers.\n- Upgrade to TinyMCE 7.x for secure-by-default behavior.\n\n**Remediation Steps:**\n1. Identify all web application components utilizing the TinyMCE editor interface.\n2. Update package configurations to load TinyMCE version 6.8.1 (or higher) or version 7.0.0 (or higher).\n3. Modify the initialization call tinymce.init() to include sandbox_iframes: true and convert_unsafe_embeds: true for 6.x installations.\n4. Validate the change by copying and pasting an iframe and an object tag into the editor, then inspecting the parsed output schema to ensure attributes match expectations.\n\n## References\n\n- [NVD CVE-2024-29203 Detail](https://nvd.nist.gov/vuln/detail/CVE-2024-29203)\n- [CVE.org Authority Record](https://www.cve.org/CVERecord?id=CVE-2024-29203)\n- [GitHub Security Advisory GHSA-438c-3975-5x3f](https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f)\n- [Fix Commit in GitHub Repository](https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1)\n- [TinyMCE 6.8.1 Release Notes](https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types)\n- [TinyMCE 7.0 Release Notes](https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2024-29203) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-09T16:41:36.000000Z"}, {"uuid": "7a0cfc80-810b-4df0-bc89-d6225d7aa6fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-29203", "type": "seen", "source": "https://gist.github.com/alon710/8327e427344b759299d1377846fdfcd3", "content": "# CVE-2024-29203: CVE-2024-29203: Client-Side Cross-Site Scripting via Unsandboxed Iframes and Legacy Embed Elements in TinyMCE\n\n> **CVSS Score:** 4.3\n> **Published:** 2024-03-26\n> **Full Report:** https://cvereports.com/reports/CVE-2024-29203\n\n## Summary\nCVE-2024-29203 identifies a cross-site scripting (XSS) vulnerability in the content ingestion and parsing mechanics of TinyMCE rich text editor. Due to a failure to enforce sandbox attributes on dynamic iframe elements and safely handle legacy embed objects, unauthenticated attackers can inject malicious elements that execute scripts within the context of the parent application session.\n\n## TL;DR\nTinyMCE versions prior to 6.8.1 failed to sandbox pasted/inserted iframes or convert risky object and embed tags, allowing attackers to execute arbitrary scripts in the application context via client-side payloads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79 (Improper Neutralization of Input During Web Page Generation)\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 4.3 (Medium Severity)\n- **EPSS Score**: 0.01605 (Percentile: 82.11%)\n- **Exploit Status**: PoC / Code-level understanding available\n- **CISA KEV Status**: Not Listed\n- **Ransomware Association**: No\n\n## Affected Systems\n\n- TinyMCE Rich Text Editor\n- **TinyMCE**: < 6.8.1 (Fixed in: `6.8.1`)\n- **TinyMCE**: >= 6.8.2, < 7.0.0 (Fixed in: `7.0.0`)\n\n## Mitigation\n\n- Upgrade TinyMCE to version 6.8.1 or newer.\n- Explicitly configure sandbox_iframes: true in TinyMCE 6.x initializers.\n- Explicitly configure convert_unsafe_embeds: true in TinyMCE 6.x initializers.\n- Upgrade to TinyMCE 7.x for secure-by-default behavior.\n\n**Remediation Steps:**\n1. Identify all web application components utilizing the TinyMCE editor interface.\n2. Update package configurations to load TinyMCE version 6.8.1 (or higher) or version 7.0.0 (or higher).\n3. Modify the initialization call tinymce.init() to include sandbox_iframes: true and convert_unsafe_embeds: true for 6.x installations.\n4. Validate the change by copying and pasting an iframe and an object tag into the editor, then inspecting the parsed output schema to ensure attributes match expectations.\n\n## References\n\n- [NVD CVE-2024-29203 Detail](https://nvd.nist.gov/vuln/detail/CVE-2024-29203)\n- [CVE.org Authority Record](https://www.cve.org/CVERecord?id=CVE-2024-29203)\n- [GitHub Security Advisory GHSA-438c-3975-5x3f](https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f)\n- [Fix Commit in GitHub Repository](https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1)\n- [TinyMCE 6.8.1 Release Notes](https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types)\n- [TinyMCE 7.0 Release Notes](https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2024-29203) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-09T16:51:31.000000Z"}]}