CVE-2024-21911: 
JavaScript vulnerability analysis and mitigation

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting (XSS) vulnerability (CVE-2024-21911). The vulnerability was discovered in the URL sanitization logic of the core parser and was disclosed on January 3, 2024. The issue affects the TinyMCE rich text editor, which is widely used with over 350M+ downloads annually (NPM Package).

The vulnerability exists in the URL sanitization logic of the core parser, where an unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower, potentially affecting millions of products worldwide that rely on TinyMCE for rich text editing capabilities (GitHub Advisory).

The vulnerability has been patched in TinyMCE 5.6.0 through improved URL sanitization logic. For users unable to upgrade immediately, there are two workaround options: 1) Manually sanitize iframe, object and embed URL attributes using a TinyMCE node filter, or 2) Disable iframe, object, and embed elements in the content using the invalid_elements setting (Tiny Docs).