CVE-2023-45819: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE's Notification Manager API, identified as CVE-2023-45819. The vulnerability was discovered in October 2023 and affects TinyMCE versions prior to 5.10.8 and 6.7.1. The vulnerability exists in TinyMCE's unfiltered notification system, which is used in error handling (GitHub Advisory).

The vulnerability exploits TinyMCE's unfiltered notification system when handling HTML content within notifications. When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification, allowing for potential XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with required user interaction (NVD).

The vulnerability allows arbitrary JavaScript execution when a notification is presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content (GitHub Advisory).

The vulnerability has been patched in TinyMCE versions 5.10.8 and 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit. Users are advised to upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x, or TinyMCE 6.7.1 or higher for TinyMCE 6.x. There are no known workarounds for this vulnerability (GitHub Advisory).