Home > Vulnerability Database > CVE-2024-21910

Mend.io Vulnerability Database

CVE-2024-21910

Good to know:

Date: January 3, 2024

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.

Language: TYPE_SCRIPT

Severity Score

6.1

Related Resources (10)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21910

Url: https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39

Url: https://github.com/jazzband/django-tinymce/releases/tag/3.4.0

Url: https://vulncheck.com/advisories/vc-advisory-GHSA-r8hm-w5f7-wj39

Url: https://github.com/advisories/GHSA-r8hm-w5f7-wj39

Url: https://github.com/jazzband/django-tinymce/issues/366

Url: https://github.com/tinymce/tinymce

Url: https://pypi.org/project/django-tinymce/3.4.0

Url: https://pypi.org/project/django-tinymce/3.4.0/

Url: https://www.mend.io/vulnerability-database/CVE-2024-21910

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Windows Shortcut Following (.LNK)

CWE-64

Top Fix

Upgrade Version

Upgrade to version tinymce - 5.10.0;django-tinymce - 3.4.0;tinymce - 5.10.0;tinymce - 5.10.0

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21910

Good to know:

Date: January 3, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?