High-Severity TinyMCE Cross-Site Scripting Flaw Fixed

web security

The cross-site scripting flaw could enable arbitrary code execution, information disclosure – and even account takeover.

A high-severity flaw has been disclosed in TinyMCE, an open-source text editor used in the content management systems (CMS) of websites. The recently patched flaw could have been potentially exploited remotely by attackers to gain administrative privileges to websites.

TinyMCE, developed by Tiny Technologies, is typically included in content management systems used by third-party websites, and provides web-based text editing functionality including HTML text. Tiny claims that millions of people use TinyMCE daily, however researchers that found the flaw estimate only “thousands” of website CMS tools are actually impacted. Researchers found a built-in cross-site scripting (XSS) flaw in TinyMCE, due to content not being correctly sanitized before being loaded into the editor.

“The risk and impact of this vulnerability on those sites depend on the details of the application in which TinyMCE is used,” according to a Wednesday security advisory from Bishop Fox. “The use of ‘classic’ editing mode, existing XSS protections, and whether users can control the initial content inside the editor all affect the exploitability of this vulnerability.”

George Steketee, Senior Security Consultant with Bishop Fox, told Threatpost that in a real-world attack, for instance, a web forum may utilize TinyMCE to provide an interface for creation of formatted text (such as bold, italics, links, etc). An attacker could input a specially crafted XSS payload into a forum post, and submit it to the forum. In this example, the attacker would need to be authenticated user – meaning that they need to be signed up to post in the forum, but don’t have privileges beyond submitting posts into the forum, Steketee told Threatpost.

“If the attacker could convince an administrator to edit the attacker’s post (and thereby loading their saved payload into an instance of TinyMCE), the embedded script (in the crafted payload) would be executed within the context of the administrative session,” said Steketee. That means that the attacker could gain administrative privileges – paving the way to various other malicious attacks – including arbitrary code execution, sensitive information disclosure and account takeover, said researchers.

The reason behind this attack is that the security hole (CVE-2020-12648) allows attackers to bypass sanitization measures via specially crafted HTML tags. They can inject an <img> tag with arbitrary values [src and onerror] into the editor – simply via the clipboard or APIs.

“In some cases this flaw is very simple – just pasting in the example payload, submitting, and loading the page could trigger it. If vulnerable, this will generally be relatively easy to exploit, but as always in this bug it depends on the app,” said Steketee.

Researchers urge TinyMCE users to ensure that they are updated – particularly if they do not implement additional XSS protections such as a strict content security policy (CSP). The flaw exists in version 5.2.0 and earlier of the TinyMCE application. Users can update to the most recent version of the application – either version 4.9.11, released on July 13, and 5.4.1, released on July 8.

Beyond upgrading, Tiny Technologies said another workaround for the flaw include enabling the media plugin, which overrides the default parsing behavior for iframes, or adding a workaround (found in a security release, here) to update the parsing schema rules for iframes.

“TinyMCE is a web-based rich text editor, and the issue relates to content not being correctly sanitized before being loaded into the editor,” Dylan Just, Security Information Security Lead said in an email to Threatpost. “We have released fixes for TinyMCE 4 and 5, but we recommend that all users upgrade to the latest TinyMCE 5. Further to this, we recommend that users sanitize content server-side, and add a suitable Content Security Policy to their websites.”

“Security is extremely important to us at Tiny, and we appreciate the efforts of security researchers in helping improve the security of our products,” Just told Threatpost. “We would like to thank Bishop Fox for responsibly disclosing the issue to us and for their prompt communication and professionalism.”

The vulnerability was discovered April 7, 2020, and patches have since been released. The flaw was publicly disclosed this week.

Suggested articles