CVE-2023-48219
Special characters in unescaped text nodes can trigger mXSS in TinyMCETinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
We have discovered 26,637 live websites that are affected by CVE-2023-48219.
Affected Software
| Product |  TinyMCE |
| Category | Rich Text Editors |
| Vulnerable Domains | 26,637 live websites (86.20% of TinyMCE install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 296 versions ( 89.70% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Nov 15, 2023
- Updated - Aug 29, 2024
CWE
CVE References
CWE References
CVE-2023-48219 usage by Country
 United States | 16,059 websites |
 Germany | 2,414 websites |
 France | 1,822 websites |
 Netherlands | 738 websites |
 GB | 575 websites |
 Singapore | 381 websites |
 China | 365 websites |
 Poland | 333 websites |
 Italy | 292 websites |
 Spain | 261 websites |
CVE-2023-48219 usage by TLD
| .com | 14,265 websites |
| .org | 1,453 websites |
| .de | 1,166 websites |
| .fr | 991 websites |
| .net | 763 websites |
| .nl | 715 websites |
| .dk | 625 websites |
| .co.uk | 592 websites |
| .ca | 356 websites |
| .be | 343 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-48219
Top websites that are affected by CVE-2023-48219. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | Germany | *,*** | |
| ****.******.de | United States | *,*** | |
| *******.com | United States | *,*** | |
| ********.*********.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| *****************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *************.com | United States | **,*** | |
| ***************.com | United States | **,*** | |
| **********.com | United States | **,*** |
FAQ
CVE-2023-48219 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE
A total of 26,637 websites have been identified as vulnerable to CVE-2023-48219, discovered through global website indexing conducted by WebTechSurvey.
TinyMCE is susceptible to CVE-2023-48219 vulnerability.
TinyMCE versions before 6.7.3 are vulnerable to CVE-2023-48219.
Version 6.7.3 of TinyMCE addresses the CVE-2023-48219 security vulnerability.