CVE-2024-21908: 
JavaScript vulnerability analysis and mitigation

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting (XSS) vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. The vulnerability was discovered in the schema validation logic of the core parser (GitHub Advisory).

The vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor if no server-side sanitization was performed. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows an attacker to execute arbitrary JavaScript code in another user's browser through crafted HTML content. This could potentially lead to unauthorized access to user data, session hijacking, or other malicious actions within the context of the user's browser session (GitHub Advisory).

The vulnerability has been patched in TinyMCE version 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements. For users unable to upgrade, a workaround is available by manually sanitizing content using the BeforeSetContent event. Example: editor.on('BeforeSetContent', function(e) { var sanitizedContent = ...; e.content = sanitizedContent; }) (GitHub Advisory).