CVE-2020-17480

NameCVE-2020-17480
DescriptionTinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs972642

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tinymce (PTS)stretch3.4.8+dfsg0-1vulnerable
buster3.4.8+dfsg0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tinymcesource(unstable)(unfixed)972642

Notes

[buster] - tinymce <no-dsa> (Minor issue)
[stretch] - tinymce <no-dsa> (Minor issue)
https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95
Search for package or bug name: Reporting problems