CVE-2024-29881
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elementsTinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload. This vulnerability is fixed in 6.8.1 and 7.0.0.
We have discovered 28,104 live websites that are affected by CVE-2024-29881.
Affected Software
| Product |  TinyMCE |
| Category | Rich Text Editors |
| Vulnerable Domains | 28,104 live websites (100% of TinyMCE install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Mar 26, 2024
- Updated - Aug 2, 2024
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-29881 United States | 15,608 websites |
 Germany | 1,903 websites |
 France | 1,600 websites |
 Singapore | 885 websites |
 GB | 834 websites |
 Netherlands | 761 websites |
 Canada | 503 websites |
 Italy | 480 websites |
 Denmark | 466 websites |
 Sweden | 426 websites |
Website Distribution by TLD
Number of websites using CVE-2024-29881| .com | 14,247 websites |
| .org | 1,916 websites |
| .de | 1,165 websites |
| .net | 1,060 websites |
| .fr | 912 websites |
| .io | 807 websites |
| .nl | 675 websites |
| .dk | 631 websites |
| .co.uk | 543 websites |
| .se | 397 websites |
Websites affected by CVE-2024-29881
Top websites that are affected by CVE-2024-29881. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | *,*** | |
| ****.******.de | Germany | *,*** | |
| *******.com | United States | *,*** | |
| ********.*********.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| ******.io | Singapore | *,*** | |
| *****************.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *************.com | United States | **,*** | |
| ***************.com | United States | **,*** |
FAQ
CVE-2024-29881 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE
A total of 28,104 websites have been identified as vulnerable to CVE-2024-29881, based on global website indexing conducted by WebTechSurvey.
The TinyMCE is affected by the CVE-2024-29881 vulnerability.
TinyMCE versions up to 7 are vulnerable to CVE-2024-29881.
CVE-2024-29881 is resolved in version 7 of TinyMCE.
References
- https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78
- https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1
- https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types
- https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true