CVE-2023-48219
Special characters in unescaped text nodes can trigger mXSS in TinyMCETinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
We have discovered 12,214 live websites that are affected by CVE-2023-48219.
Affected Software
| Product |  TinyMCE |
| Category | Rich Text Editors |
| Vulnerable Domains | 12,214 live websites (100% of TinyMCE install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Nov 15, 2023
- Updated - Aug 29, 2024
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2023-48219 United States | 6,982 websites |
 Germany | 825 websites |
 Denmark | 403 websites |
 Sweden | 340 websites |
 France | 333 websites |
 China | 314 websites |
 Poland | 293 websites |
 Netherlands | 264 websites |
 Spain | 262 websites |
 GB | 249 websites |
Website Distribution by TLD
Number of websites using CVE-2023-48219| .com | 6,209 websites |
| .org | 675 websites |
| .dk | 582 websites |
| .de | 495 websites |
| .net | 443 websites |
| .se | 319 websites |
| .pl | 255 websites |
| .nl | 233 websites |
| .es | 201 websites |
| .ca | 158 websites |
Websites affected by CVE-2023-48219
Top websites that are affected by CVE-2023-48219. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.******.de | Germany | *,*** | |
| *****************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ******.fr | United States | **,*** | |
| ***********.*****.com | China | **,*** | |
| ***********.com | United States | **,*** | |
| ***.************.com |  Canada | **,*** | |
| *************.com | United States | **,*** | |
| ******.de | Germany | **,*** | |
| *******.com | United States | **,*** |
FAQ
CVE-2023-48219 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE
A total of 12,214 websites have been identified as vulnerable to CVE-2023-48219, based on global website indexing conducted by WebTechSurvey.
The TinyMCE is affected by the CVE-2023-48219 vulnerability.
TinyMCE versions up to 6.7.3 are vulnerable to CVE-2023-48219.
CVE-2023-48219 is resolved in version 6.7.3 of TinyMCE.