CVE-2024-29203
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframesTinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1.
We have discovered 27,550 live websites that are affected by CVE-2024-29203.
Affected Software
| Product |  TinyMCE |
| Category | Rich Text Editors |
| Vulnerable Domains | 27,550 live websites (89.15% of TinyMCE install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 304 versions ( 92.12% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Mar 26, 2024
- Updated - Aug 6, 2024
CWE
CVE References
CWE References
CVE-2024-29203 usage by Country
 United States | 16,121 websites |
 Germany | 2,422 websites |
 France | 1,823 websites |
 Singapore | 1,190 websites |
 Netherlands | 744 websites |
 GB | 588 websites |
 China | 366 websites |
 Poland | 334 websites |
 Italy | 292 websites |
 Spain | 262 websites |
CVE-2024-29203 usage by TLD
| .com | 14,306 websites |
| .org | 1,506 websites |
| .de | 1,168 websites |
| .fr | 993 websites |
| .io | 823 websites |
| .net | 764 websites |
| .nl | 734 websites |
| .dk | 625 websites |
| .co.uk | 598 websites |
| .ca | 357 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-29203
Top websites that are affected by CVE-2024-29203. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | Germany | *,*** | |
| ****.******.de | United States | *,*** | |
| *******.com | United States | *,*** | |
| ********.*********.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| ******.io | Singapore | *,*** | |
| *****************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *************.com | United States | **,*** | |
| ***************.com | United States | **,*** |
FAQ
CVE-2024-29203 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE
A total of 27,550 websites have been identified as vulnerable to CVE-2024-29203, discovered through global website indexing conducted by WebTechSurvey.
TinyMCE is susceptible to CVE-2024-29203 vulnerability.
TinyMCE versions before 6.8.1 are vulnerable to CVE-2024-29203.
Version 6.8.1 of TinyMCE addresses the CVE-2024-29203 security vulnerability.
References
- https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f
- https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
- https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
- https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true