CVE-2023-48219: 
JavaScript vulnerability analysis and mitigation

A mutation cross-site scripting (mXSS) vulnerability (CVE-2023-48219) was discovered in TinyMCE, an open source rich text editor. The vulnerability was identified in TinyMCE's core undo/redo functionality and other APIs and plugins, affecting versions 6.0.0 to 6.7.3 and versions prior to 5.10.9. The vulnerability was discovered by Masato Kinugawa of Cure53 and disclosed on November 15, 2023 (GitHub Advisory).

The vulnerability stems from text nodes within specific parents not being escaped upon serialization according to the HTML standard. When these text nodes contain special characters reserved as internal markers, they can be combined with HTML patterns to form malicious snippets. These snippets bypass the initial sanitization layer when parsed into the editor body but trigger XSS when the special internal marker is removed and re-parsed. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability affects several core functionalities including the undo/redo feature, getContent API with raw format, resetContent API, and the Autosave plugin. When exploited, it could allow attackers to execute arbitrary JavaScript code within the context of affected web applications, potentially leading to data theft or manipulation (Security Online).

The vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. The fix ensures that unescaped text nodes containing the special internal marker are emptied before removing the marker from the HTML, and removes the special internal marker from content strings passed to Editor.setContent, Editor.insertContent, and Editor.resetContent APIs. Users are strongly advised to upgrade to these patched versions as there are no known workarounds (TinyMCE Docs).