CVE-2023-48219: TinyMCE(<6.7.3) XSS

PoC

Root cause

After the CVE-2023-45818 fix, it removes comment nodes containing U+FEFF by this code. But in other nodes, it still did a simple string replacement, so above bypass worked due to the noscript's serialization behavior explained in HTML spec.

When can it be exploited?

• When an app stores HTML set from user-input and displays it on the editor (especially on the editor shared with multiple users)
• When an app explicitly uses affected TinyMCE APIs for user-input
• When a user pastes the crafted HTML to the editor

See also

• Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin · Advisory · tinymce/tinymce
• CVE-2023-45818: TinyMCE(<6.7.1) XSS