CVE-2023-45818: TinyMCE(<6.7.1) XSS

PoC #1

PoC #2

PoC #3

Root cause

XSS is triggered by an assignment to innerHTML after the unsafe string replacement is performed at:

• PoC #1: https://github.com/tinymce/tinymce/blob/79fae0b5868a52bfe2303d237326f7fcf5bdf739/modules/tinymce/src/core/main/ts/dom/TrimHtml.ts#L86
• PoC #2: https://github.com/tinymce/tinymce/blob/79fae0b5868a52bfe2303d237326f7fcf5bdf739/modules/tinymce/src/core/main/ts/dom/TrimHtml.ts#L109
• PoC #3: https://github.com/tinymce/tinymce/blob/79fae0b5868a52bfe2303d237326f7fcf5bdf739/modules/tinymce/src/core/main/ts/dom/TrimHtml.ts#L113

When can it be exploited?

• When an app stores HTML set from user-input and displays it on the editor (especially on the editor shared with multiple users)
• When an app explicitly uses affected TinyMCE APIs for user-input
• When a user pastes the crafted HTML to the editor

See also

• mXSS vulnerability in TinyMCE undo/redo, getContent API, resetContent API, and Autosave plugin · Advisory · tinymce/tinymce
• CVE-2023-48219: TinyMCE(<6.7.3) XSS